Configure SELinux in AD Bridge

Be sure to review the latest SELinux documentation. You can start with the SELinux wiki.

Install SELinux on Unsupported Platforms

If you install SELinux on an unsupported platform, a message similar to the following is displayed:

SELinux found to be present, enabled, and enforcing. You may either provide a policy at /opt/pbis/share/pbis.pp  --OR-- SELinux must be disabled or set to permissive mode by editing the file /etc/selinux/config and rebooting. For instructions on how to edit the file to disable SELinux, see the SELinux man page.

  1. Create a compiled policy. To get started creating an SELinux policy for AD Bridge, use existing policy sources located under version directories: /opt/pbis/share/rhel or in /opt/pbis/share/fedora.
  1. Rename the policy pbis.pp and place it in the \opt\pbis\share directory.
  1. Run the installation again. The pbis.pp file is installed.

Configure SELinux After Installation

After installation of AD Bridge with SELinux, security denials might occur. Security denials caused by the current policy are reported in the /var/log/audit/audit.log log file.

You can resolve security denial issues automatically or manually.

Automatically Resolve Security Denials

To create a policy to resolve existing denials involving applications and resources with pbis in the name:

  1. Type grep pbis /var/log/audit/audit.log | audit2allow -M pbislocal
  2. The file pbislocal.pp is a compiled policy module and can be loaded with semodule -i pbislocal.pp.

Manually Resolve Security Denials

The procedure is similar to automatically resolving security denials. However, you can edit the policy file pbislocal.te:

  1. Type grep pbis /var/log/audit/audit.log | audit2allow -m pbislocal > pbislocal.te
  2. To build a compiled policy, execute the following command in the directory where pbislocal.te is located:
    make -f /usr/share/selinux/devel/Makefile
  3. Load the module with semodule -i pbislocal.pp.