Important
If the current loaded policy name is targeted (appears in the output of the sestatus command, in the Loaded policy name field), then do not configure the following steps. The following steps are applicable only if the Loaded policy name field displays MLS.
If you have MLS enabled in enforcing mode on the client computer, perform the following steps as a root user:
|
Steps
|
Commands
|
Content of the policy files
|
|
1.
|
Log on to the client computer as a root user.
|
|
|
|
2.
|
Enable the following SELinux boolean:
|
setsebool -P allow_ypbind 1
|
|
|
3.
|
Go to the /usr/share/selinux/devel directory ( the RPM selinux-policy-devel.noarch must be installed as a pre-requisite).
|
|
|
|
4.
|
Create a file filename.te where filename is the name of the UNIX file created to save the policy module statement. We recommend to use the same name for policy module and the file.
For example, when you create a policy module for backup_IDA application, you can use the file name backup_IDA.te.
|
vi backup_IDA.te
|
module backup_IDA 1.0;
require {
type insmod_exec_t;
type semanage_store_t;
type usr_t;
type var_run_t;
type pam_var_run_t;
type sysadm_t;
type initrc_t;
type man_t;
type fusermount_exec_t;
type ipsec_var_run_t;
type setroubleshootd_t;
type insmod_t;
type rpm_var_cache_t;
type useradd_exec_t;
type lib_t;
type modules_conf_t;
type etc_t;
type audisp_t;
type rpm_var_lib_t;
type var_lib_t;
type virtd_t;
type selinux_config_t;
type bin_t;
type sshd_t;
type rpm_t;
type system_map_t;
type var_lock_t;
type var_t;
type scsi_generic_device_t;
type admin_home_t;
class fifo_file { write getattr setattr read create unlink open };
class dbus send_msg;
class chr_file { read write ioctl open };
class file { write getattr link setattr read relabelto unlink open execute execute_no_trans};
class sock_file { write create unlink setattr };
class lnk_file unlink;
class dir { search setattr relabelfrom write getattr rmdir relabelto remove_name };
}
#============= initrc_t ==============
#!!!! This avc is allowed in the current policy
allow initrc_t ipsec_var_run_t:dir setattr;
allow initrc_t var_t:dir { remove_name rmdir };
allow initrc_t usr_t:dir setattr;
allow initrc_t usr_t:fifo_file setattr;
allow initrc_t usr_t:file setattr;
allow initrc_t usr_t:sock_file setattr;
#============= insmod_t ==============
#!!!! This avc is allowed in the current policy
allow insmod_t system_map_t:file { read open };
#!!!! This avc is allowed in the current policy
allow insmod_t var_lock_t:file write;
#!!!! This avc is allowed in the current policy
allow insmod_t virtd_t:fifo_file getattr;
#============= rpm_t ==============
allow rpm_t sshd_t:dbus send_msg;
#============= setroubleshootd_t ==============
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow setroubleshootd_t audisp_t:dbus send_msg;
allow setroubleshootd_t sshd_t:dbus send_msg;
#============= sshd_t ==============
allow sshd_t bin_t:dir rmdir;
allow sshd_t etc_t:dir { relabelfrom relabelto setattr };
allow sshd_t fusermount_exec_t:file { relabelto unlink setattr };
allow sshd_t insmod_exec_t:file getattr;
allow sshd_t lib_t:dir rmdir;
allow sshd_t lib_t:lnk_file unlink;
allow sshd_t man_t:dir remove_name;
allow sshd_t man_t:file unlink;
#!!!! This avc is allowed in the current policy
allow sshd_t modules_conf_t:dir { write search setattr relabelfrom relabelto getattr };
#!!!! This avc is allowed in the current policy
allow sshd_t modules_conf_t:file getattr;
allow sshd_t pam_var_run_t:dir { relabelfrom relabelto };
allow sshd_t rpm_t:dbus send_msg;
allow sshd_t rpm_var_cache_t:file open;
allow sshd_t rpm_var_lib_t:dir rmdir;
allow sshd_t selinux_config_t:dir rmdir;
allow sshd_t semanage_store_t:dir rmdir;
allow sshd_t setroubleshootd_t:dbus send_msg;
allow sshd_t useradd_exec_t:file getattr;
allow sshd_t usr_t:dir rmdir;
allow sshd_t usr_t:file link;
allow sshd_t var_lib_t:dir rmdir;
allow sshd_t var_run_t:dir rmdir;
#============= sysadm_t ==============
allow sysadm_t scsi_generic_device_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
allow sysadm_t scsi_generic_device_t:chr_file { read write open };
#!!!! This avc is allowed in the current policy
allow sysadm_t usr_t:fifo_file { write setattr read create unlink open };
allow sysadm_t usr_t:sock_file unlink;
#!!!! This avc is allowed in the current policy
allow sysadm_t usr_t:sock_file { write create setattr };
allow sysadm_t admin_home_t:file execute_no_trans;
#!!!! This avc is allowed in the current policy
allow sysadm_t admin_home_t:file execute;
|
|
5.
|
Create a policy file from command line (Execute this command from the same path that is specified in step 3, which is /usr/share/selinux/devel.
|
make backup_IDA.pp
|
|
|
6.
|
Execute the command to install the module.
|
semodule -i backup_IDA.pp
|
|
|
7.
|
Install Commvault. Installation must complete successfully without any issues.
|
|
|
|
8.
|
Verify that all Commvault services are up and running.
|
commvault list
|
|
|
9.
|
Continue to perform back and restore operations.
If you find any issues, see Troubleshooting SELinux Configuration.
|
|
|