Configure SELinux

Some commands, file paths, and configuration references still use nms due to the ongoing transition from NGINX Management Suite (NMS) to NGINX Instance Manager (NIM). These will be updated in future releases.

You can use the optional SELinux policy module included in the package to secure F5 NGINX Instance Manager operations with flexible, mandatory access control that follows the principle of least privilege.

The scope of the SELinux policy allows NGINX Instance Manager to perform all operations needed to support the default configuration. This includes inter-process communication on the default Unix sockets and TCP as an alternative. Other changes may require manual adjustments to the default policy for the application to work.

Important
The SELinux policy module is optional. It is not loaded automatically during installation, even on SELinux-enabled systems. You must manually load the policy module using the steps below.

Take these preparatory steps before configuring SELinux:

  1. Enable SELinux on your system.
  2. Install the tools load_policy, semodule, and restorecon.
  3. Install NGINX Instance Manager with SELinux module files in place.
Important
SELinux can use permissive mode, where policy violations are logged instead of enforced. Verify which mode your configuration uses.

The NGINX Instance Manager installer places SELinux policy files in these locations:

  • /usr/share/selinux/packages/nms.pp - loadable binary policy module
  • /usr/share/selinux/devel/include/contrib/nms.if - interface definitions file
  • /usr/share/man/man8/nms_selinux.8.gz - policy man page

You can load and configure the SELinux policy using the following steps.

To load the SELinux policy included with NGINX Instance Manager:

  1. Load the NGINX Instance Manager policy:

    bash
    sudo semodule -n -i /usr/share/selinux/packages/nms.pp
    sudo /usr/sbin/load_policy
  2. Restore default SELinux labels for related files and directories:

    bash
    sudo restorecon -F -R /usr/bin/nms-core
    sudo restorecon -F -R /usr/bin/nms-dpm
    sudo restorecon -F -R /usr/bin/nms-ingestion
    sudo restorecon -F -R /usr/bin/nms-integrations
    sudo restorecon -F -R /usr/lib/systemd/system/nms.service
    sudo restorecon -F -R /usr/lib/systemd/system/nms-core.service
    sudo restorecon -F -R /usr/lib/systemd/system/nms-dpm.service
    sudo restorecon -F -R /usr/lib/systemd/system/nms-ingestion.service
    sudo restorecon -F -R /usr/lib/systemd/system/nms-integrations.service
    sudo restorecon -F -R /var/lib/nms/modules/manager.json
    sudo restorecon -F -R /var/lib/nms/modules.json
    sudo restorecon -F -R /var/lib/nms/streaming
    sudo restorecon -F -R /var/lib/nms
    sudo restorecon -F -R /var/lib/nms/dqlite
    sudo restorecon -F -R /var/run/nms
    sudo restorecon -F -R /var/lib/nms/modules
    sudo restorecon -F -R /var/log/nms
  3. Restart NGINX Instance Manager services:

    sudo systemctl restart nms

NGINX Instance Manager uses the nms_t context in the policy module. To add new TCP ports to this context:

  1. Add TCP ports 10000 and 11000 to the nms_port_t context:

    bash
    sudo semanage port -a -t nms_port_t -p tcp 10000
    sudo semanage port -a -t nms_port_t -p tcp 11000
  2. If the port context is already defined, use -m to modify it:

    bash
    sudo semanage port -m -t nms_port_t -p tcp 10000
    sudo semanage port -m -t nms_port_t -p tcp 11000
  3. Verify the port has the correct label:

    bash
    seinfo --portcon=10000
    seinfo --portcon=11000

If you uninstall NGINX Instance Manager, remove the associated ports:

bash
sudo semanage port -d -t nms_t 10000
sudo semanage port -d -t nms_t 11000

The following SELinux files are added when you install the NGINX Agent package:

  • /usr/share/selinux/packages/nginx_agent.pp - loadable binary policy module
  • /usr/share/selinux/devel/include/contrib/nginx_agent.if - interface definitions file
  • /usr/share/man/man8/nginx_agent_selinux.8.gz - policy man page

To load the NGINX Agent policy, run the following commands as root:

bash
sudo semodule -n -i /usr/share/selinux/packages/nginx_agent.pp
sudo /usr/sbin/load_policy
sudo restorecon -R /usr/bin/nginx-agent
sudo restorecon -R /var/log/nginx-agent
sudo restorecon -R /etc/nginx-agent

Make sure to add external ports to the firewall exception list.

To allow external ports outside the HTTPD context, run:

sudo setsebool -P httpd_can_network_connect 1
For more information, see Using NGINX and NGINX Plus with SELinux.