NVMe-TCP on RHEL/Rocky/AlmaLinux - SELinux Configuration

Linux

Audience
Public
Product
FlashBlade
FlashArray
Technology Integrations
Linux
Source Type
Documentation

Understanding SELinux with NVMe-TCP

SELinux modes:

  • enforcing - SELinux policy is enforced (recommended for production)
  • permissive - SELinux logs violations but doesn't block (testing)
  • disabled - SELinux is disabled (not recommended)

Check SELinux status:

getenforce
sestatus

SELinux Policies for NVMe-TCP

Allow NVMe-TCP connections:

# Check for denials
sudo ausearch -m avc -ts recent | grep nvme

# If denials found, generate policy
sudo ausearch -m avc -ts recent | audit2allow -M nvme_tcp_policy

# Review the policy
cat nvme_tcp_policy.te

# Install policy
sudo semodule -i nvme_tcp_policy.pp

Common SELinux Issues

Issue: NVMe connections blocked

# Check for denials
sudo ausearch -m avc -ts recent

# Temporary: Set to permissive for testing
sudo setenforce 0

# Test NVMe connection
sudo nvme connect -t tcp -a <portal_ip> -s 4420 -n <nqn>

# Check for new denials
sudo ausearch -m avc -ts recent

# Generate and install policy
sudo ausearch -m avc -ts recent | audit2allow -M nvme_fix
sudo semodule -i nvme_fix.pp

# Re-enable enforcing
sudo setenforce 1

Issue: Multipath device access denied

# Allow multipath to access devices
sudo setsebool -P virt_use_rawio 1

# Or create custom policy
sudo ausearch -m avc -ts recent | grep multipath | audit2allow -M multipath_nvme
sudo semodule -i multipath_nvme.pp

SELinux Best Practices

  1. Never disable SELinux in production:

    • Use permissive mode for troubleshooting only
    • Always create proper policies
  2. Use audit2allow carefully:

    • Review generated policies before installing
    • Understand what you're allowing
    • Document custom policies
  3. Monitor for denials:

    # Set up monitoring    
    sudo ausearch -m avc -ts today | grep denied  
     
    # Or use setroubleshoot    
    sudo dnf install -y setroubleshoot-server    sudo sealert -a /var/log/audit/audit.log
  4. Keep policies updated:

    # Update SELinux policies    
    sudo dnf update selinux-policy\*