Questions on API Gateway SElinux
search cancel

Questions on API Gateway SElinux

book

Article ID: 259965

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

I am looking for more information about SElinux. These are the SElinux features:

# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.

I note that on the API Gateway v10.1 the SElinux is not set to enforcing. What are the possibilities and consequences if we want to set it to enforcing?

Additionally, we would also like to know how this is set up in the new API Gateway version v11? And then how is the hardening of the API gateway appliance v11 set up based on Debian ?

 

Environment

Release : 10.1

Resolution

1. Since we do our own hardening, SELinux shall be disabled on Gateway Appliances v10.0/10.1 by default:

SELinux status: disabled

2. Engineering did not try enabling SELinux; therefore we cannot predict the consequences.

3. New v11 (Debian OS) appliance also does  not have SElinux. It has apparmor and it is set to enforce by default:

[root@11gwxxx ~]# cat /sys/kernel/security/apparmor/profiles

/usr/sbin/ntpd (enforce)

nvidia_modprobe (enforce)

nvidia_modprobe//kmod (enforce)

lsb_release (enforce)