After installing the version of pamsc compatible with linux redhat 8.3, once selinux is enabled in Enforcing mode, the product does not start automatically on booting the server. But it does start by loading is manually by means of seload
Running the following commands to capture the rlelevant information
cp /dev/null /var/log/audit/audit.log
reboot
The contents of audit.log show the following
type=AVC msg=audit(1616667523.444:28): avc: denied { module_load } for pid=1978 comm="insmod" path="/opt/CA/PAMSC/bin/SEOS_syscall.80-4180-240-RHELX86_64.MP.ko" dev="dm-2" ino=131615 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=system permissive=0
type=AVC msg=audit(1616667564.830:35): avc: denied { unix_read } for pid=2192 comm="(systemd)" key=101557112 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=shm permissive=0
The above two lines reveal that insmod has tried to load the kernel module but that this action has been prevented by SELinux due to its security context.
ls -Z /opt/CA/PAMSC/bin/SEOS_syscall.80-4180-240-RHELX86_64.MP.ko --> system_u:object_r:bin_t:s0 /opt/CA/PAMSC/bin/SEOS_syscall.80-4180-240-RHELX86_64.MP.ko
In Redhat 8.3 SELinux has been updated to include security policies restricting some operations that may directly affect loading kernel modules. In particular the bin_t security label will not allow a module to be loaded via insmod at boot time. Only modules in /lib/modules/`uname -r` can be uploaded according to policy.
CA PAM SC 14.X, CA PIM 12.8, 12.9 and 14.X Linux on Redhat 8.3
SE is working on a permanent fix, but one simple workaround is to check the context for one of the kernel modules which the system loads at boot time, for instance
ls -lZ /usr/lib/modules/4.18.0-147.3.1.el8_1.x86_64/kernel/fs/lockd/lockd.ko.xz --> system_u:object_r:modules_object_t:s0 /usr/lib/modules/4.18.0-147.3.1.el8_1.x86_64/kernel/fs/lockd/lockd.ko.xz
and then use that module as a reference to set the security label for the module that needs to load at boot time
chcon --reference=/usr/lib/modules/4.18.0-147.3.1.el8_1.x86_64/kernel/fs/lockd/lockd.ko.xz /opt/CA/PAMSC/bin/SEOS_syscall.80-4180-147-RHELX86_64.MP.ko
After this command is run we should see the module is in the right security context
ls -lZ /opt/CA/PAMSC/bin/SEOS_syscall.80-4180-147-RHELX86_64.MP.ko --> system_u:object_r:modules_object_t:s0 /opt/CA/PAMSC/bin/SEOS_syscall.80-4180-147-RHELX86_64.MP.ko
SE is working on a corrected package which will perform this same operation at boot time, so as to prevent this having to be done manually for every new installation