How to configure SELinux to support Aspera server software

Description

SELinux is a security mechanism implemented in the kernel of Linux systems such as RedHat and CentOS.

SELinux works by limiting the access that processes have to the filesystem. Processes and files are defined with a security context.

Generally if not needed Aspera advises users to disable SELinux. However, if SELinux is required on your system you can make configurations to allow your Enterprise/Connect Server or P2P to work as expected.

Before you start

The following instructions assume SELinux is enforced on your system using the targeted policy, and that unconfined domains are enabled (if you have not manually disabled them, they are already enabled by default).

You can check that unconfined domains are enabled with the following command:

# semodule -l | grep unconfined 

If the unconfined domain is listed as Disabled, you can reenable it with the following command:

# semodule -e unconfined

You can check the status and policy of SELinux with the sestatus command:

# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted

Instructions

1. Configure SELinux to allow aspshell

Run the following commands:

# echo /bin/aspshell-r >> /etc/shells
# echo /bin/aspshell >> /etc/shells
# semanage fcontext -a -t shell_exec_t "/bin/aspshell"
# restorecon -v /bin/aspshell

2. (For Connect Server) Configure SELinux to allow the script aspera-dirlist.pl to be run

Run the following commands:

# setsebool -P httpd_enable_cgi 1
# semanage fcontext -a -t httpd_unconfined_script_exec_t "/opt/aspera/var/webtools/scripts/aspera-dirlist.pl"
# restorecon -v /opt/aspera/var/webtools/scripts/aspera-dirlist.pl

3. (For Faspex and Shares) Configure SELinux to allow the authorized_keys file to be accessed

If your transfer server is used with Faspex or Shares, there is an additional SELinux policy to set for the transfer user used for your application.

For Faspex, the transfer user is usually faspex. For Shares the transfer user is usually shares.

Run the following commands for your transfer user, where you substitute in the path to the transfer user's home directory:

# semanage fcontext -a -t ssh_home_t "/path/to/user_homedirectory/.ssh(/.*)?"
# restorecon -Rv /path/to/user_homedirectory/.ssh

4. (For Connect Client) Configure SELinux to allow running the plugin

# setsebool -P unconfined_mozilla_plugin_transition 0
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk