Identity Governance and SELinux

Hi everybody,

I am wondering if anybody could provide some hints on how to install IDG 4.3.1 on an SELinux enabled RHEL 8 server?

Sorry, if I missed something in the documentation, but I am quite sure there is nothing in the IGA 4.x documentation like the small note found in the IDM 4.8 documentation.

Kind regards

Thorsten 

  • 0  

    Hi Thorsten,

    Maybe that would be a question best answered on the IGA list:  IGA User Discussions

    Casper

  • 0  

    Hi  

    I'm moving your discussion to the IGA User Discussion area for better exposure. 

    Thanks,

    Elizabeth

    Community Manager 

  • 0  

    If you are using a database backend that is supplied by DBA services in your org, then from a SELinux standpoint I think you are securing apache tomcat, and the configutil and configupdate scripts/java programs.   That may help reduce the scope of what needs to be researched.

  • 0 in reply to   

    Hi James,

    thanks for your answer! Since I am either a RHEL nor SELinux geek, the question is how to secure an IG server correctly! 

    IS SELinux similar to AppArmor on SLES? 

    Would it be correct to turn SELinux off during installation and let it run in permissive mode over some time to "learn"?

    Kind regards

    Thorsten

  • 0   in reply to 

    I can tell you in my experience, SELinux is usually leveraged by US Federal Agencies that are required to do so per regulation.  It's rare for me to see private sector companies use it.  In general I've seen organizations dust disable it, or set it to permissive --- granted, these are all internal systems, and they have other layers of protection in place such as firewall, and other endpoint agents protecting and patching their systems.  Another mitigating factor is that in IG deployments, you usually run the tomcat instance not as root, and as a regular user with limited rights.

    SELinux doesn't learn over time, you would need to configure a set of rules to allow the processes involved (apache tomcat and those java apps for configuration) to access resources and security context.  If you needed to, you could probably find examples of config to get apache running, however getting the config tools to work might be a little more invovled.

    If it were me, I'd avoid using it unless I was required to.

    --Jim