Why a CSN server is not compatible with SELinux

This article is targeted at customers who intend to use the Linux kernel security module called SELinux (Security-Enhanced Linux) with the Cluster Services Node server.

To sum up what is explained below, a CSN server is not compatible and does not function with SELinux enabled.

While "permissive mode" might work on CSN servers, its use is highly discouraged as SELinux is only observing and logging which will impact negatively the server's performance.

"Enforcing mode" will cause CSN to stop functioning.

When setting up a CSN server, the installation script disables SELinux, therefore, SELinux is disabled by default on all CSN servers.

The reason is that SELinux was not considered when designing the CSN application. In other words CSN can not provide a targeted policy as it performs privileged operations on other policied objects (several files in /etc/). CSN assumes it has complete control over the OS and that conflicts with the SELinux's base principles.

In the context of SELinux, if a service, program or user tries to access or modify a file or resource not necessary for it to function, then access is denied and the action is logged.

For example Apache httpd has its own policy, but CSN tries to configure Apache httpd and that is a policy violation per the above principle.

Any operation that touches a file that is declared in the policy of another element of the system (a service, program or user) constitutes a violation, and CSN does of lot of those.