Understanding SELinux with NVMe-TCP
SELinux modes:
-
enforcing- SELinux policy is enforced (recommended for production) -
permissive- SELinux logs violations but doesn't block (testing) -
disabled- SELinux is disabled (not recommended)
Check SELinux status:
getenforce
sestatus
SELinux Policies for NVMe-TCP
Allow NVMe-TCP connections:
# Check for denials
sudo ausearch -m avc -ts recent | grep nvme
# If denials found, generate policy
sudo ausearch -m avc -ts recent | audit2allow -M nvme_tcp_policy
# Review the policy
cat nvme_tcp_policy.te
# Install policy
sudo semodule -i nvme_tcp_policy.pp
Common SELinux Issues
Issue: NVMe connections blocked
# Check for denials
sudo ausearch -m avc -ts recent
# Temporary: Set to permissive for testing
sudo setenforce 0
# Test NVMe connection
sudo nvme connect -t tcp -a <portal_ip> -s 4420 -n <nqn>
# Check for new denials
sudo ausearch -m avc -ts recent
# Generate and install policy
sudo ausearch -m avc -ts recent | audit2allow -M nvme_fix
sudo semodule -i nvme_fix.pp
# Re-enable enforcing
sudo setenforce 1
Issue: Multipath device access denied
# Allow multipath to access devices
sudo setsebool -P virt_use_rawio 1
# Or create custom policy
sudo ausearch -m avc -ts recent | grep multipath | audit2allow -M multipath_nvme
sudo semodule -i multipath_nvme.pp
SELinux Best Practices
-
Never disable SELinux in production:
- Use permissive mode for troubleshooting only
- Always create proper policies
-
Use audit2allow carefully:
- Review generated policies before installing
- Understand what you're allowing
- Document custom policies
-
Monitor for denials:
# Set up monitoring sudo ausearch -m avc -ts today | grep denied # Or use setroubleshoot sudo dnf install -y setroubleshoot-server sudo sealert -a /var/log/audit/audit.log -
Keep policies updated:
# Update SELinux policies sudo dnf update selinux-policy\*