3. Modify System Security

SELinux

  1. If you plan to use SELinux on the Open OnDemand host you must install the ondemand-selinux package.

    sudo yum install ondemand-selinux
    

    Note

    OnDemand runs under the ood_pun_t context.

The OnDemand SELinux package makes several changes to allow OnDemand to run with SELinux enabled.

  • Set contexts of several filesystem paths specific to OnDemand.
  • Enable SELinux booleans.
  • Apply a custom policy to allow actions to performed by ood_pun_t context.

The custom SELinux booleans provided by the OnDemand SELinux policy:

  • ondemand_manage_user_home_dir (default=off): Necessary if user home directories are local disk and not NFS. This is useful when OnDemand is hosted on the system also acting as the NFS server for home directories.
  • ondemand_manage_vmblock (default=off): So far this has only proven necessary when running OnDemand inside of Vagrant when the home directory is a Virtualbox mount.
  • ondemand_use_nfs (default=on): Allow OnDemand to manage NFS home directories, which is necessary if home directories are accessible via NFS on the OnDemand web node.
  • ondemand_use_ssh (default=on): Allow OnDemand to use SSH for Shell app and Linux Host Adapter.
  • ondemand_use_shell_app (default=off): DEPRECATED Replaced by ondemand_use_ssh
  • ondemand_use_sssd (default=on): Allows OnDemand to access SSSD
  • ondemand_use_slurm (default=off): Allows OnDemand to interact with SLURM and MUNGE.
  • ondemand_use_torque (default=off): Allows OnDemand to interact with Torque.
  • ondemand_use_kubernetes (default=off): Allow OnDemand to interact with Kubernetes.
  • ondemand_use_ldap (default=off): Allows OnDemand to interact with remote LDAP servers. This does not affect Apache LDAP authentication. This is only necessary if the PUN is interacting with LDAP ports.
  • ondemand_use_kerberos (default=off): Allow OnDemand to interact with Kerberos.

The following SELinux booleans are enabled by the ondemand-selinux package:

  • httpd_setrlimit
  • httpd_mod_auth_pam
  • httpd_run_stickshift
  • httpd_can_network_connect
  • daemons_use_tty
  • use_nfs_home_dirs (can be disabled if the OnDemand web node is not using NFS for home directories)

The following example disabled the OnDemand SSH SELinux boolean.

sudo setsebool -P ondemand_use_ssh=off

If you experience denials when running SELinux with Open OnDemand please provide denial details by generating a ood.te file and posting that to Discourse. It would also help to post the audit.log lines that correspond to the OnDemand specific denials.

cat /var/log/audit/audit.log | audit2allow -M ood

SELinux after Updates

After OnDemand updates that include the ondemand-selinux package, some SELinux booleans may be turned back off if their default value is to be disabled. It is required that after these updates, all SELinux booleans that are enabled should be checked that they are still enabled.

Firewall

  1. Open ports 80 (http) and 443 (https) in the firewall, typically done with firewalld or iptables.

    Firewalld example:
    $ sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
    $ sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
    $ sudo firewall-cmd --reload
    
Iptables example:
$ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
$ sudo iptables-save > /etc/sysconfig/iptables

Note

If using Dex authentication the port used by Dex must also be opened. See Dex Firewall for details.