3. Modify System Security

SELinux

Danger

Support for SELinux on the Open OnDemand host is currently considered an alpha feature.

  1. If you plan to use SELinux on the Open OnDemand host you must install the ondemand-selinux package.

    sudo yum install ondemand-selinux
    

    Note

    OnDemand runs under the Apache httpd_t context.

The OnDemand SELinux package makes several changes to allow OnDemand to run with SELinux enabled.

  • Set context of several ondemand-nginx directories and files.
  • Enable several booleans.
  • Apply a custom policy to allow some additional actions by processes in the httpd_t context.

If you experience denials when running SELinux with Open OnDemand please provide denial details by generating a ood.te file and posting that to Discourse. It would also help to post the audit.log lines that correspond to the OnDemand specific denials.

cat /var/log/audit/audit.log | audit2allow -M ood

Firewall

  1. Open ports 80 (http) and 443 (https) in the firewall, typically done with firewalld or iptables.

    Firewalld example:
    $ sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
    $ sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
    $ sudo firewall-cmd --reload
    
Iptables example:
$ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
$ sudo iptables-save > /etc/sysconfig/iptables