Skip to main content
FlashGrid.io

Enabling SELinux in existing FlashGrid Cluster with RHEL/OL 9

  • Updated
  • Products: FlashGrid Cluster on Azure
  • Products: FlashGrid Cluster on GCP
  • Products: FlashGrid Server on AWS
  • Products: FlashGrid Cluster on AWS
  • Products: FlashGrid Server on Azure
  • Products: FlashGrid Server on GCP

This guide describes how to enable SELinux in a rolling fashion on an existing FlashGrid cluster that had SELinux disabled.

Note: Clusters deployed with Launcher versions 25.12 or earlier had SELinux disabled by default. Clusters deployed with Launcher versions 26.03 or newer have SELinux enabled in Permissive mode by default on RHEL/OL 9.

Note: This article does not apply to RHEL/OL 7/8

Note: Enabling SELinux may impact third-party software or custom applications installed on your cluster. This procedure has been validated only with standard FlashGrid and Oracle software. If you have additional software installed, thoroughly test in a non-production environment and monitor for denials specific to your applications before enabling Enforcing mode.

Note: If the cluster was recently deployed and the nodes have not been rebooted yet, then reboot all nodes before proceeding with this article.

Prerequisites

# getenforce
  • Disabled - Follow all Phases (1-3) of the implementation, transitioning from Disabled -> Permissive -> Enforcing.
  • Permissive - Skip Phase 1 and proceed with Phase 2 and Phase 3, transitioning from Permissive -> Enforcing.

Phase 1: Enable Permissive Mode

Perform these steps on each node, one at a time.

  1. Verify the cluster status is good before proceeding

    # flashgrid-cluster

  2. Check the enforcement settings

    # getenforce

    Expected output: Disabled

  3. Remove the immutable setting from the SELinux config file:

    # chattr -i /etc/selinux/config

  4. Change the setting from Disabled to Permissive

    # sed -i 's/SELINUX=disabled/SELINUX=permissive/' /etc/selinux/config

  5. To prevent incorrectly labeled and unlabeled files from causing problems, enable relabel for next boot using the command below:

    # fixfiles -F onboot

  6. Make sure there are no other nodes that are in an offline or re-syncing state. All disk groups must have zero offline disks, and Resync = No.

    # flashgrid-cluster
  7. If the node is a database node, stop all local database instances running on the node.

  8. Reboot the node using flashgrid-node command. It will gracefully put the corresponding failure group offline.

    # flashgrid-node reboot

  9. Before proceeding to the next node, wait until the node boots up, all disks are back online, and resync operations are complete on all disk groups. All disk groups must have zero offline disks and Resync = No before it is safe to update the next node.

    # flashgrid-cluster

  10. Setting back the immutable setting for the SELinux config file:

    # chattr +i /etc/selinux/config

  11. Check the enforcement settings

    # getenforce

    Expected output: Permissive

  12. Proceed to the next node until you complete all nodes.

Phase 2: Monitor SELinux denials

After enabling Permissive mode on all servers, monitor each node for SELinux denials. Only proceed to Enforcing mode once monitoring is complete.

  1. Check all denials from today

    # ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts today

  2. Checking recent denials (last 10 minutes)

    # ausearch -m avc -ts recent

  3. Monitoring denials using audit.log

    # tail -f /var/log/audit/audit.log

    Note: Before proceeding to Enforcing mode, ensure all scheduled jobs have executed during the monitoring period. If your environment has weekly jobs, monitor for at least one week. If you have monthly jobs (e.g., month-end processing, backups, reports), wait until those have run. SELinux denials may only appear when these periodic processes execute.

Phase 3: Enable Enforcing Mode

This procedure doesn't require any downtime or reboot.

  1. Remove the immutable setting

    # chattr -i /etc/selinux/config

  2. Configure SELinux mode to Enforcing in /etc/selinux/config for persistence

    # sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config

  3. Enable immutable setting

    # chattr +i /etc/selinux/config

  4. Setting enforcement to Enforcing

    # setenforce 1
  5. Proceed to the next node until you complete all nodes.

Emergency Rollback

If issues occur after enabling Enforcing mode, revert to Permissive immediately:

# setenforce 0

In case you want to make Permissive mode persistent across reboots:

# chattr -i /etc/selinux/config
# sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
# chattr +i /etc/selinux/config

Known Issues

Oracle AHF

While in permissive mode, you may encounter audit logs like the following. Oracle AHF triggers execution of the ip command, which is denied by SELinux:

time->Mon Apr 20 17:49:02 2026
type=PROCTITLE msg=audit(1776707342.002:781): proctitle=6970002D73006C696E6B
type=SYSCALL msg=audit(1776707342.002:781): arch=c000003e syscall=16 success=no exit=-25 a0=1 a1=5401 a2=7fff0d4e3fd0 a3=fff items=0 ppid=36928 pid=36938 auid=4294967295 uid=3002 gid=2000 euid=3002 suid=3002 fsuid=3002 egid=2000 sgid=2000 fsgid=2000 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC msg=audit(1776707342.002:781): avc:  denied  { ioctl } for  pid=36938 comm="ip" path="/u01/app/grid/oracle.ahf/data/repository/suptools/rac1/oswbb/grid/archive/oswnetstat/rac1.mycompany.mydomain_netstat_26.04.20.1700.dat" dev="dm-0" ino=84104715 ioctlcmd=0x5401 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1

Oracle has not provided a permanent fix for this issue. Below is a recommended workaround:

# ausearch -m AVC -ts recent -x /usr/sbin/ip -sc ioctl -se ifconfig_t | audit2allow -M oracle_ahf_oswbb_ip_ioctl
# semodule -i oracle_ahf_oswbb_ip_ioctl.pp

SELinux will now permit the recently denied ip command.