4. Add SELinux¶
If you plan to use SELinux on the Open OnDemand host you must install the ondemand-selinux package.
sudo yum install ondemand-selinux
OnDemand runs under the ood_pun_t context.
The OnDemand SELinux package makes several changes to allow OnDemand to run with SELinux enabled.
Set contexts of several filesystem paths specific to OnDemand.
Enable SELinux booleans.
Apply a custom policy to allow actions to performed by ood_pun_t context.
The custom SELinux booleans provided by the OnDemand SELinux policy:
ondemand_manage_user_home_dir(default=off): Necessary if user home directories are local disk and not NFS. This is useful when OnDemand is hosted on the system also acting as the NFS server for home directories.
ondemand_manage_vmblock(default=off): So far this has only proven necessary when running OnDemand inside of Vagrant when the home directory is a Virtualbox mount.
ondemand_use_nfs(default=on): Allow OnDemand to manage NFS home directories, which is necessary if home directories are accessible via NFS on the OnDemand web node.
ondemand_use_ssh(default=on): Allow OnDemand to use SSH for Shell app and Linux Host Adapter.
ondemand_use_sssd(default=on): Allows OnDemand to access SSSD
ondemand_use_slurm(default=off): Allows OnDemand to interact with SLURM and MUNGE.
ondemand_use_torque(default=off): Allows OnDemand to interact with Torque.
ondemand_use_kubernetes(default=off): Allow OnDemand to interact with Kubernetes.
ondemand_use_ldap(default=off): Allows OnDemand to interact with remote LDAP servers. This does not affect Apache LDAP authentication. This is only necessary if the PUN is interacting with LDAP ports.
ondemand_use_kerberos(default=off): Allow OnDemand to interact with Kerberos.
The following SELinux booleans are enabled by the
use_nfs_home_dirs (can be disabled if the OnDemand web node is not using NFS for home directories)
The following example disabled the OnDemand SSH SELinux boolean.
sudo setsebool -P ondemand_use_ssh=off
If you experience denials when running SELinux with Open OnDemand please provide denial details by generating a ood.te file and posting that to Discourse. It would also help to post the audit.log lines that correspond to the OnDemand specific denials.
cat /var/log/audit/audit.log | audit2allow -M ood
SELinux after Updates¶
After OnDemand updates that include the
ondemand-selinux package, some SELinux booleans may be turned back off if their default value is to be disabled. It is required that after these updates, all SELinux booleans that are enabled should be checked that they are still enabled.
- Firewalld example:
$ sudo firewall-cmd --zone=public --add-port=80/tcp --permanent $ sudo firewall-cmd --zone=public --add-port=443/tcp --permanent $ sudo firewall-cmd --reload
- Iptables example:
- $ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT $ sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT $ sudo iptables-save > /etc/sysconfig/iptables
If using Dex authentication the port used by Dex must also be opened. See Dex Firewall for details.