# Configure SELinux Type of document: How-to guide Product: NGINX Agent --- ## Overview You can use the optional SELinux policy module included in the package to secure F5 NGINX Agent operations with flexible, mandatory access control that follows the principle of least privilege. **Note:** The SELinux policy module is optional. It is not loaded automatically during installation, even on SELinux-enabled systems. You must manually load the policy module using the steps below. ## Before you begin Take these preparatory steps before configuring SELinux: 1. Enable SELinux on your system. 2. Install the tools `load_policy`, `semodule`, and `restorecon`. 3. [Install NGINX Agent](/nginx-one-console/agent/install-upgrade/_index.md) with SELinux module files in place. **Note:** SELinux can use `permissive` mode, where policy violations are logged instead of enforced. Verify which mode your configuration uses. --- ## Enable SELinux for NGINX Agent {#selinux-agent} The following SELinux files are added when you install the NGINX Agent package: - `/usr/share/selinux/packages/nginx_agent.pp` - loadable binary policy module - `/usr/share/selinux/devel/include/contrib/nginx_agent.if` - interface definitions file - `/usr/share/man/man8/nginx_agent_selinux.8.gz` - policy man page To load the NGINX Agent policy, run the following commands as root: ```bash sudo semodule -n -i /usr/share/selinux/packages/nginx_agent.pp sudo /usr/sbin/load_policy sudo restorecon -R /usr/bin/nginx-agent sudo restorecon -R /var/log/nginx-agent sudo restorecon -R /etc/nginx-agent ``` ### Add ports to NGINX Agent SELinux context Make sure to add external ports to the firewall exception list. To allow external ports outside the HTTPD context, run: ```bash sudo setsebool -P httpd_can_network_connect 1 ``` **Note:** For more information, see [Using NGINX and NGINX Plus with SELinux](https://www.nginx.com/blog/using-nginx-plus-with-selinux/). --- ## Recommended Resources - - - - - - -