This article aims to bring awareness of SELinux and how this could potentially impact Vault. In-depth troubleshooting of SELinux, its policies and customization are beyond the scope of this document.
What is SELinux
Security-Enhanced Linux (SELinux) is a Linux security module (LSM) built into the Linux kernel. It provides a mechanism that supports access control security policies and implements mandatory access control (MAC).
Red Hat Enterprise Linux (RHEL) is known to have SELinux enabled and configured out-of-the-box. SELinux is available on most Linux distributions.
SELinux operating modes
SELinux has 3 modes of operation namely:
Permissive mode will audit, but not deny access operations.
Enforcing mode will audit and enforce the loaded security policy on the entire system. The current mode of operation can be checked by using the
Most Vault and SELinux related issues have been observed when SELinux is set to
enforcing mode. This mode may restrict the Vault process from accessing files and folders not specifically defined in a policy.
Examples of these include, but are not limited to:
- The vault process being unable to access an HSM library while the proper file rights exist.
- The vault process being unable to access a file audit device while the proper file rights exist.
In order to check whether SELinux is actively prohibiting access to a resource (for example a file), the operating mode can temporarily be changed to
permissive using the
$ setenforce 0
A more permanent solution would include enabling SELinux debugging and using packages such as
settroubleshoot to obtain information about specific operation denials.
It's useful to check the
/var/log/audit/audit.log file on the operating system as well, as this may contain specific
avc: denied messages that could aid in troubleshooting.
Normal operation of Vault when installed using the operating system's package manager (rpm, apt, etc) should result in the vault process running under the user and group
vault:vault without a specific SELinux policy. This should be sufficient for normal operation when the vault process does not require access to external files and/or libraries.
- Vault File Audit Device
- Hardening HashiCorp Vault with SELinux
- GitHub reposirtory for vault-selinux-policies
- Troubleshooting problems related to SELinux