Security-Enhanced Linux (SELinux)#
Security-Enhanced Linux (SELinux) is a set of patches to the Linux kernel and various utilities that provide mandatory access control to major subsystems of a node. See https://en.wikipedia.org/wiki/Security-Enhanced_Linux for general discussion of SELinux.
The ICE ClusterWare™ platform supports SELinux on the head nodes and compute nodes.
SELinux On Compute Nodes#
For Red Hat RHEL and CentOS compute nodes, the root file systems created by the
scyld-modimg tool include SELinux support as part of the
installation of the @core yum group. During the boot process the
mount_rootfs script will, like the standard dracut based
initramfs, load the SELinux policy before switching root. Note that
the default cmdline in the boot configurations created through
scyld-add-boot-config (including the DefaultBoot configuration) will
contain enforcing=0, thereby placing all compute nodes in SELinux
"permissive" mode. Only remove this option once you have completed
testing to confirm that your applications will run as expected with
SELinux in "enforcing" mode.
SELinux on compute nodes may be disabled in the standard ways through
command line arguments or by changing the contents of the node's
/etc/selinux/config configuration file. For details please refer
to appropriate distro-provided documentation.
In addition to the default "targeted" SELinux policy provided by RHEL and
CentOS, the ClusterWare platform also supports the Multi-Level Security (MLS)
policy for compute nodes. Enabling the MLS policy inside an image is
done the same way as it would be done on a locally installed
system. After entering the image chroot using scyld-modimg, first
install the selinux-policy-mls package, and then modify the
/etc/selinux/config file to reference the newly installed policy.
Because the clusterware-node SELinux
policy module is installed at image creation time, it may need to be
re-installed after switching to the MLS policy:
semodule --install /opt/scyld/clusterware-node/clusterware-node.pp.bz2
The semodule command can also be used to check if the policy is
loaded:
semodule --list | grep clusterware
When exiting the chroot, the ClusterWare platform automatically relabels
the file system based on the policy referenced in /etc/selinux/config.
Important
Fully configuring a cluster for MLS requires significant effort, including labeling objects on shared storage and defining additional policy around user workflows and tools. Please refer to your operating system documentation, as such details are beyond the scope of this document. Note that ClusterWare-provided schedulers, MPI implementations, and 3rd party applications may need additional custom permissions not covered here in order to configure a functional MLS cluster.
When creating boot configuration for an MLS enabled image,
please be aware that the MLS
policy, by default, does not allow the root user to log into the
compute node via ssh. Because ssh is used by the ClusterWare
soft power commands, please either enable the root login functionality
or use the _remote_user node attribute to configure login as a
user with sudo shutdown permission. The root login permission can
be enabled through the setsebool command, and the boolean is named
ssh_sysadm_login.
SELinux On Head Nodes#
On head nodes, SELinux is detected to be in "enforcing" mode at both installation and service run time. To switch SELinux from "enforcing" to "permissive" mode, please see the documentation for your operating system. If this switch is made while the clusterware service is running, please restart that service:
sudo systemctl restart clusterware
MLS Policy On Head Nodes#
For head nodes enforcing the MLS policy, the SELinux user sysadm_u should be used to install the ClusterWare platform and run administrative tools.
To map a Linux user to the sysadm_u SELinux user, you can run:
sudo semanage login --add linux_user --seuser sysadm_u
By default, the sysadm_u user should run with the sysadm_t domain.