Configure SELinux
The default settings for Security-Enhanced Linux (SELinux) on modern Red Hat Enterprise Linux (RHEL) and related distros can be very strict, prioritizing security over user convenience.
To ensure F5 WAF for NGINX operates smoothly without compromising security, consider setting up a custom SELinux policy or AppArmor profile.
For troubleshooting, you may use permissive (SELinux) or complain (AppArmor) mode to avoid these restrictions, but this is inadvisable for prolonged use.
Although F5 WAF for NGINX provides an optional package with prebuilt a SELinux policy (app-protect-selinux), your specific configuration might be blocked unless you adjust the policy or modify file labels.
You may want to read the Using NGINX and NGINX Plus with SELinux blog post for more information.
If you plan to store your security policy files in an alternative folder such as /etc/security_policies, you should change the default SELinux file context:
semanage fcontext -a -t nap-compiler_conf_t /etc/security_policies
restorecon -Rv /etc/security_policiesIf you want to send logs to a custom, unreserved port, you can use semanage to add the desired port to the syslogd_port_t type:
semanage port -a -t syslogd_port_t -p tcp <your-port>Review the syslog ports by entering the following command:
semanage port -l | grep syslogFor more information related to syslog, see the Security logs topic.
F5 WAF for NGINX files and processes are labelled with the nap-compiler_t and nap-engine_t contexts. NGINX Plus is labelled with httpd_t.
If SELinux denies access to something, you can search audit denials using one of the above contexts.
ausearch --start recent -m avc --raw -se nap-engine_tThe –start recent argument searches the previous 10 minutes.