Product SiteDocumentation Site

2.5.4. Configure the Security Policies

CloudStack does various things which can be blocked by security mechanisms like AppArmor and SELinux. These have to be disabled to ensure the Agent has all the required permissions.
  1. Configure SELinux (RHEL and CentOS)
    1. Check to see whether SELinux is installed on your machine. If not, you can skip this section.
      In RHEL or CentOS, SELinux is installed and enabled by default. You can verify this with:
      rpm -qa | grep selinux
    2. Set the SELINUX variable in /etc/selinux/config to "permissive". This ensures that the permissive setting will be maintained after a system reboot.
      In RHEL or CentOS:
      vi /etc/selinux/config
      Change the following line
      SELINUX=enforcing
      to this
      SELINUX=permissive
    3. Then set SELinux to permissive starting immediately, without requiring a system reboot.
      setenforce permissive
  2. Configure Apparmor (Ubuntu)
    1. Check to see whether AppArmor is installed on your machine. If not, you can skip this section.
      In Ubuntu AppArmor is installed and enabled by default. You can verify this with:
      dpkg --list 'apparmor'
    2. Disable the AppArmor profiles for libvirt
      ln -s /etc/apparmor.d/usr.sbin.libvirtd /etc/apparmor.d/disable/
      ln -s /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper /etc/apparmor.d/disable/
      apparmor_parser -R /etc/apparmor.d/usr.sbin.libvirtd
      apparmor_parser -R /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper