Support von SELinux mit SAP HANA DB

The Linux security model “Security-Enhanced Linux” allows the creation and application of policies to control system access. It also provides a very granular level to strengthen the operating system against attacks.

In SELinux, possible actions of a process on a target (e.g. on files or applications) are regulated or restricted. Processes are run as domains in this case to allow them to be separated. If a process is compromised, the attacker only has access to the processes of this domain.

There are three modes of operation in SELinux:

Enforcing: policies are enforced and are active.
Permissive: The system uses the policies but allows all access. The system logs which access would be allowed or forbidden according to the policy
Disabled

In the past, using SELinux in enforcing mode for SAP HANA was not recommended.

Last year, talks on this topic were resumed between Red Hat and SAP. It was agreed to test SAP HANA on RHEL hosts with SELinux in enforcing mode.

SAP HANA Validation Test Suite

Meanwhile, Red Hat in Walldorf successfully ran the “SAP HANA Validation Test Suite” without any degradation in DB performance (the degradation was only about 2%). The “SAP HANA Validation Test Suite” is used by SAP to determine whether a system is capable of running and processing SAP HANA DB. The tests have so far been run on RHEL 8.2, RHEL 8.4, RHEL 8.6 and RHEL 9. RHEL here ran in a minimal package installation, which is a security best practice to minimize the number of processes and applications that could be potential targets of attacks. Red Hat published the following KB on the matter.

SAP has also added the paragraph “SELinux configuration” to its note “2777782 – SAP HANA DB: Recommended OS Settings for RHEL 8“. Although SAP writes that it is still recommended to disable SELinux, SAP HANA could run in SELinux via “unconfined” mode. Nevertheless, SAP reserves the right to have SELinux disabled when analyzing problems.

The fact that SAP and Red Hat are dealing with this issue is a good signal for all customers who want to protect their systems with high security requirements.