The following explains the settings required for Linux environments where the SELinux (Security-Enhanced Linux) function is enabled.

If the application to be executed as a job is the one with which domain transfer occurs, a security violation message to a file under the Systemwalker Operation Manager directory may appear in the log output by SELinux, depending on the privileges set for the domain where the application operates.

This security violation message is output as standard output or standard error output of this application is written in the file that Systemwalker Operation Manager manages. To suppress this message, it is necessary to grant 'sw_fjsvmjs_spool_t' that is the access right for the Systemwalker Operation Manager files to the domain where the application operates.

Describing the SELinux policy file

Describe the following content in the SELinux policy file:

allow <domain> sw_fjsvmjs_spool_t:file { write getattr };

The following example shows how to grant access rights to the sample_t domain:

allow sample_t sw_fjsvmjs_spool_t:file { write getattr };

In addition to the above case, the application executed from Systemwalker Operation Manager may output a security violation message. Under normal condition, when executing an application by logging on to the console, etc., that application operates in the unconfined_t domain. On the other hand, when executing an application from Systemwalker Operation Manager, that application operates in the initrc_t domain that is inherited from the Systemwalker Operation Manager daemon. Due to this difference, a security violation message may appear depending on the behavior of the job.

To resolve security violations, grant necessary access rights to the application based on the information in the log output by SELinux.

An example of granting access rights is shown below. In the actual environment, determine to which domain and what access rights should be granted according to the message that appears.

Example of granting access rights to the hostname_t domain

allow hostname_t self:capability { dac_override };

Enabling SELinux may cause login failure to the FTP server to be used for Task Link or access failure to the file to be transferred.

This problem occurs since the access rights for the login directory, file to be transferred and storage directory have not been granted to the SELinux domain (example: the ftpd_t domain) where the FTP server belongs. To remove this problem, these access rights need to be granted to the SELinux domain where the FTP server belongs.

An example of granting access rights is shown below. In the actual environment, determine to which domain and what access rights should be granted according to the message that appears.

Example of granting access rights to the ftpd_t domain

allow ftpd_t chkpwd_t:process { siginh noatsecure rlimitinh };
allow ftpd_t home_root_t:dir search;
allow ftpd_t user_home_dir_t:dir { read search open };

Example of command execution that allows FTP to read/write the files under user's home directory

# setsebool -P ftp_home_dir on