Hello, what is SELinux protection policy (hawk armor) in Nutanix and where I can find ANY info about it? This seems to be new policy in AOS 7.3 and completely ommited from release notes.
This topic has been closed for replies.
- Nutanix Employee
- 6 replies
This is related to FEAT-14864 in the release notes.
https://portal.nutanix.com/page/documents/details?targetId=Release-Notes-AOS-v7_3:Release-Notes-AOS-v7_3
Enhanced Controller VM (CVM) SecurityFEAT-14864
AOS 7.3 introduces an enhancement to CVM security that restricts data access within the CVM. With this enhancement, access to underlying data is further restricted to internal system processes, helping reduce the risk of unauthorized modification.
Note: This feature is enabled by default for new clusters deployed with the AOS 7.3 release.
I will see if I can find more detailed external information on this.
Thanks, I did not notice that in release notes. Anyway I had a 1 node from 10 failing that check.
The hawk_armor_secure.pp semodule failed to install due to hawk_armor_types module already loaded which included conflicting type secure_executable_file_t. Not sure how those modules relate together, but the healthy nodes have just hawk_armor_secure loaded.
2025-09-09 16:14:21 - Command failed after 5 attempts: semodule -i '/home/nutanix/security/hawk_armor_secure.pp'
2025-09-09 16:14:21 - Failed to install hawk_armor_secure policy
", err: b'Re-declaration of type secure_executable_file_t
Failed to create node
Bad type declaration at /var/lib/selinux/targeted/tmp/modules/400/hawk_armor_types/cil:1
semodule: Failed!
Re-declaration of type secure_executable_file_t
Failed to create node
Bad type declaration at /var/lib/selinux/targeted/tmp/modules/400/hawk_armor_types/cil:1
semodule: Failed!
Re-declaration of type secure_executable_file_t
Failed to create node
Bad type declaration at /var/lib/selinux/targeted/tmp/modules/400/hawk_armor_types/cil:1
semodule: Failed!
Re-declaration of type secure_executable_file_t
Failed to create node
Bad type declaration at /var/lib/selinux/targeted/tmp/modules/400/hawk_armor_types/cil:1
semodule: Failed!
Re-declaration of type secure_executable_file_t
Failed to create node
Bad type declaration at /var/lib/selinux/targeted/tmp/modules/400/hawk_armor_types/cil:1
semodule: Failed!
hawk_armor_enable.sh failed same way.
Removing hawk_armor_types not possible due to already applied fcontexts. After fighting the semodules, converting to cil and trying to fix it, I just removed the node from cluster, reimaged and added to cluster again in the end.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.