Product version

The IBM Integration Bus or IBM App Connect Enterprise versions required for SELinux support are:

• IBM Integration Bus 10.0.0.4 (or later)
• IBM App Connect Enterprise 11.0.0.0 (or later)
• IBM App Connect Enterprise 12.0.1.0 (or later)

Use of SELinux with IBM Integration Bus 10.0.0.3 (or earlier) is not supported: SELinux must be disabled for those versions.

Operating system version

The operating system must meet the following minimum version, depending on the product version:

• Red Hat Enterprise Linux version 6.5 or later for IBM Integration Bus v10.0.
• Red Hat Enterprise Linux version 7.4 or later for IBM App Connect Enterprise 11.0 on Linux for x86_64.
• Red Hat Enterprise Linux version 8.0 or later for IBM App Connect Enterprise 11.0 on Linux for s390x.
• Red Hat Enterprise Linux version 8.0 or later for IBM App Connect Enterprise 12.0.

There are no hardware architecture requirements: this support statement applies to all Red Hat Enterprise Linux hardware architectures supported by the stated IBM Integration Bus and IBM App Connect Enterprise versions.

SELinux configuration

SELinux must be configured as follows, if using IBM Integration Bus 10.0 or IBM App Connect Enterprise outside of containers:

1. The Red Hat Enterprise Linux targeted SELinux policy provided with the operating system must be used. The SELINUXTYPE=targeted option must be set in the SELinux configuration.
2.  All IBM Integration Bus 10.0 or IBM App Connect Enterprise applications, control commands, integration nodes and integration servers must run in an unconfined SELinux security context (for example, SELinux user `unconfined_u`).
3. Do not alter the operating system SELinux security policy to impose additional restrictions on unconfined applications.
4. SELinux must not deny access to the `/var/mqsi` directory, the product install directory, any HA work path directories used by integration nodes, or the work directory of an independent integration server by IBM Integration Bus 10.0 or IBM App Connect Enterprise applications, control commands, integration nodes, and integration servers.
5. Use of Multi-Level Security (MLS) with multiple sensitivity levels is not supported. All of the IBM Integration Bus and App Connect Enterprise applications, control commands, integration nodes, and integration servers on the system must run at the same SELinux sensitivity level

You can use SELinux in either enforcing or permissive mode provided these requirements are satisfied.

Verifying the Configuration

To check the SELinux configuration, run the sestatus command. If SELinux is enabled, the output should be similar to the following:

• SELinux status:                 enabled
  SELinuxfs mount:                /selinux
  Current mode:                   enforcing
  Mode from config file:          enforcing
  Policy version:                 24
  Policy from config file:        targeted

The policy should be "targeted" and the current mode should be either "enforcing" or "permissive". The mode from config file may differ from the current mode in some cases, but it is the current mode which is significant. Note that the values of the other fields may vary between systems and may differ from those shown here.

To check which SELinux security context your command shell is using, run the id -Z command. The output should be similar to the following:

• unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

The security context should have an unconfined user (e.g. unconfined_u) running at a single sensitivity level (for example, s0). This example shows an unconfined security context suitable for running IBM Integration Bus v10.0 or IBM App Connect Enterprise v11.0 applications, control commands and queue managers. Note that the security context may vary between systems and may differ from that shown here.

Refer to your Linux support vendor if you require assistance with SELinux configuration.

Related Information