Vault and SELinux

Introduction

This article aims to bring awareness of SELinux and how this could potentially impact Vault. In-depth troubleshooting of SELinux, its policies and customization are beyond the scope of this document.

What is SELinux

Security-Enhanced Linux (SELinux) is a Linux security module (LSM) built into the Linux kernel. It provides a mechanism that supports access control security policies and implements mandatory access control (MAC).

Red Hat Enterprise Linux (RHEL) is known to have SELinux enabled and configured out-of-the-box. SELinux is available on most Linux distributions.

SELinux operating modes

SELinux has 3 modes of operation namely: disabled, permissive and enforcing. Permissive mode will audit, but not deny access operations. Enforcing mode will audit and enforce the loaded security policy on the entire system. The current mode of operation can be checked by using the getenforce utility:

$ getenforce
Enforcing

SELinux issues

Most Vault and SELinux related issues have been observed when SELinux is set to  enforcing mode. This mode may restrict the Vault process from accessing files and folders not specifically defined in a policy.

Examples of these include, but are not limited to:

• The vault process being unable to access an HSM library while the proper file rights exist.
• The vault process being unable to access a file audit device while the proper file rights exist.

Solutions

In order to check whether SELinux is actively prohibiting access to a resource (for example a file), the operating mode can temporarily be changed to permissive using the setenforce utility:

$ setenforce 0
Permissive

A more permanent solution would include enabling SELinux debugging and using packages such as setools and settroubleshoot to obtain information about specific operation denials. 

It's useful to check the /var/log/audit/audit.log file on the operating system as well, as this may contain specific avc: denied messages that could aid in troubleshooting.

Additional

Normal operation of Vault when installed using the operating system's package manager (rpm, apt, etc) should result in the vault process running under the user and group vault:vault without a specific SELinux policy. This should be sufficient for normal operation when the vault process does not require access to external files and/or libraries.

In cases where Vault hardening with SELinux is required, we offer a set of baseline Vault specific SELinux policies. 

Resources

• HSM-PKCS11-Setup-Issues-Errors
• Vault File Audit Device
• Hardening HashiCorp Vault with SELinux
• GitHub reposirtory for vault-selinux-policies
• Troubleshooting problems related to SELinux