Configure SELinux

You can use the optional SELinux policy module included in the package to secure F5 NGINX Agent operations with flexible, mandatory access control that follows the principle of least privilege.

Important
The SELinux policy module is optional. It is not loaded automatically during installation, even on SELinux-enabled systems. You must manually load the policy module using the steps below.

Take these preparatory steps before configuring SELinux:

  1. Enable SELinux on your system.
  2. Install the tools load_policy, semodule, and restorecon.
  3. Install NGINX Agent with SELinux module files in place.
Important
SELinux can use permissive mode, where policy violations are logged instead of enforced. Verify which mode your configuration uses.

The following SELinux files are added when you install the NGINX Agent package:

  • /usr/share/selinux/packages/nginx_agent.pp - loadable binary policy module
  • /usr/share/selinux/devel/include/contrib/nginx_agent.if - interface definitions file
  • /usr/share/man/man8/nginx_agent_selinux.8.gz - policy man page

To load the NGINX Agent policy, run the following commands as root:

bash
sudo semodule -n -i /usr/share/selinux/packages/nginx_agent.pp
sudo /usr/sbin/load_policy
sudo restorecon -R /usr/bin/nginx-agent
sudo restorecon -R /var/log/nginx-agent
sudo restorecon -R /etc/nginx-agent

Make sure to add external ports to the firewall exception list.

To allow external ports outside the HTTPD context, run:

sudo setsebool -P httpd_can_network_connect 1
For more information, see Using NGINX and NGINX Plus with SELinux.