Secure SQL Server on RHEL with SELinux

SQL Server 2022 marked a significant milestone by enabling you to run SQL Server on RHEL 9 as a confined application. Our commitment to prioritizing security mechanisms ensures that enforcing security policies on Linux systems is more straightforward than ever. In this blog post, we'll explore how you can effectively integrate SQL Server deployments with SELinux and provide you with valuable resources.

For detailed information, please visit our official documentation: Get Started With SQL Server on SELinux - SQL Server | Microsoft Learn.

What is SELinux (Security-Enhanced Linux)?

SELinux is a robust security architecture for Linux systems that defines access controls for applications, processes, and files. It provides Mandatory Access Control (MAC) through security policies, which are sets of rules that dictate what can or cannot be accessed. This gives administrators greater control over who can access the system. 

For details, I recommend the following articles:

1. What is SELinux (Security-Enhanced Linux).
2. SELinux Architecture as seen in Red Hat Systems

SQL Server and SELinux

To enforce SELinux-based security policies for SQL Server 2022 and higher versions, you need to install the supported mssql-server-selinux package as documented here, which includes customized SELinux-specific rules that enable you to run SQL Server as a confined application. Here are the prerequisites:

1. Ensure SELinux is enabled and in enforcing mode on the RHEL system. You can check this using the command sestatus, and the output should look like this:

   For further information on enabling SELinux please follow the official documentation  Changing SELinux states and modes | Red Hat Product Documentation.

2. Install the mssql-server-selinux package, which installs SQL Server and enables the custom SELinux policy that confines the SQL Server processes. It resets the selinuxuser_execmod Boolean, and the SQL Server service is configured to the mssql_server_t domain (type).

To learn more about the different types defined in the 'mssql-server-selinux' package for SQL Server and how you can customize the data path or log path for SQL Server when running as a confined application, please refer to the official documentation: Get Started With SQL Server on SELinux - SQL Server | Microsoft Learn.

Thanks, 

Andrew Carter (Lead), Pierre-Louis Caron-Auger and Eric Julien from the Engineering team and our partners from Red Hat Engineering.