SELinux Configuration

Linux

Audience
Public
Product
FlashBlade
FlashArray
Technology Integrations
Linux
Source Type
Documentation

Understanding SELinux with iSCSI

SELinux modes:

  • enforcing - SELinux policy is enforced (recommended for production)
  • permissive - SELinux logs violations but doesn't block (testing)
  • disabled - SELinux is disabled (not recommended)

Check SELinux status:

getenforce
sestatus

SELinux Policies for iSCSI

Allow iSCSI connections:

# iSCSI should work out-of-the-box with default policies
# Check for denials
sudo ausearch -m avc -ts recent | grep iscsi

# If denials found, generate policy
sudo ausearch -m avc -ts recent | audit2allow -M iscsi_policy

# Review the policy
cat iscsi_policy.te

# Install policy
sudo semodule -i iscsi_policy.pp

Port Labeling

Label iSCSI port (if needed):

# Check current port labels
sudo semanage port -l | grep iscsi

# Add custom port if using non-standard port
sudo semanage port -a -t iscsi_port_t -p tcp 3260

Issue: iSCSI connections blocked

# Check for denials
sudo ausearch -m avc -ts recent

# Temporary: Set to permissive for testing
sudo setenforce 0

# Test iSCSI connection
sudo iscsiadm -m discovery -t sendtargets -p <portal_ip>:3260

# Check for new denials
sudo ausearch -m avc -ts recent

# Generate and install policy
sudo ausearch -m avc -ts recent | audit2allow -M iscsi_fix
sudo semodule -i iscsi_fix.pp

# Re-enable enforcing
sudo setenforce 1

Common SELinux Issues

Issue: Multipath device access denied

# Allow multipath to access devices
sudo setsebool -P virt_use_rawio 1

# Or create custom policy
sudo ausearch -m avc -ts recent | grep multipath | audit2allow -M multipath_iscsi
sudo semodule -i multipath_iscsi.pp
  1. Never disable SELinux in production

    • Use permissive mode for troubleshooting only
    • Always create proper policies
  2. Monitor audit logs regularly

    sudo ausearch -m avc -ts today 
  3. Use booleans when available

    bash # List iSCSI-related booleans 
    sudo getsebool -a | grep iscsi 
  4. Document custom policies

    • Keep .te files in version control
    • Document why each policy was needed