Configure SELinux
Legacy 'nms' references Some commands, file paths, and configuration references still usenmsdue to the ongoing transition from NGINX Management Suite (NMS) to NGINX Instance Manager (NIM). These will be updated in future releases.
You can use the optional SELinux policy module included in the package to secure F5 NGINX Instance Manager operations with flexible, mandatory access control that follows the principle of least privilege.
The scope of the SELinux policy allows NGINX Instance Manager to perform all operations needed to support the default configuration. This includes inter-process communication on the default Unix sockets and TCP as an alternative. Other changes may require manual adjustments to the default policy for the application to work.
Important The SELinux policy module is optional. It is not loaded automatically during installation, even on SELinux-enabled systems. You must manually load the policy module using the steps below.
Take these preparatory steps before configuring SELinux:
- Enable SELinux on your system.
- Install the tools load_policy,semodule, andrestorecon.
- Install NGINX Instance Manager with SELinux module files in place.
Important SELinux can usepermissivemode, where policy violations are logged instead of enforced. Verify which mode your configuration uses.
The NGINX Instance Manager installer places SELinux policy files in these locations:
- /usr/share/selinux/packages/nms.pp- loadable binary policy module
- /usr/share/selinux/devel/include/contrib/nms.if- interface definitions file
- /usr/share/man/man8/nms_selinux.8.gz- policy man page
You can load and configure the SELinux policy using the following steps.
To load the SELinux policy included with NGINX Instance Manager:
- 
Load the NGINX Instance Manager policy: sudo semodule -n -i /usr/share/selinux/packages/nms.pp sudo /usr/sbin/load_policy
- 
Restore default SELinux labels for related files and directories: sudo restorecon -F -R /usr/bin/nms-core sudo restorecon -F -R /usr/bin/nms-dpm sudo restorecon -F -R /usr/bin/nms-ingestion sudo restorecon -F -R /usr/bin/nms-integrations sudo restorecon -F -R /usr/lib/systemd/system/nms.service sudo restorecon -F -R /usr/lib/systemd/system/nms-core.service sudo restorecon -F -R /usr/lib/systemd/system/nms-dpm.service sudo restorecon -F -R /usr/lib/systemd/system/nms-ingestion.service sudo restorecon -F -R /usr/lib/systemd/system/nms-integrations.service sudo restorecon -F -R /var/lib/nms/modules/manager.json sudo restorecon -F -R /var/lib/nms/modules.json sudo restorecon -F -R /var/lib/nms/streaming sudo restorecon -F -R /var/lib/nms sudo restorecon -F -R /var/lib/nms/dqlite sudo restorecon -F -R /var/run/nms sudo restorecon -F -R /var/lib/nms/modules sudo restorecon -F -R /var/log/nms
- 
Restart NGINX Instance Manager services: sudo systemctl restart nms
NGINX Instance Manager uses the nms_t context in the policy module. To add new TCP ports to this context:
- 
Add TCP ports 10000and11000to thenms_port_tcontext:sudo semanage port -a -t nms_port_t -p tcp 10000 sudo semanage port -a -t nms_port_t -p tcp 11000
- 
If the port context is already defined, use -mto modify it:sudo semanage port -m -t nms_port_t -p tcp 10000 sudo semanage port -m -t nms_port_t -p tcp 11000
- 
Verify the port has the correct label: seinfo --portcon=10000 seinfo --portcon=11000
If you uninstall NGINX Instance Manager, remove the associated ports:
sudo semanage port -d -t nms_t 10000
sudo semanage port -d -t nms_t 11000The following SELinux files are added when you install the NGINX Agent package:
- /usr/share/selinux/packages/nginx_agent.pp- loadable binary policy module
- /usr/share/selinux/devel/include/contrib/nginx_agent.if- interface definitions file
- /usr/share/man/man8/nginx_agent_selinux.8.gz- policy man page
To load the NGINX Agent policy, run:
sudo semodule -n -i /usr/share/selinux/packages/nginx_agent.pp
sudo /usr/sbin/load_policy
sudo restorecon -R /usr/bin/nginx-agent
sudo restorecon -R /var/log/nginx-agent
sudo restorecon -R /etc/nginx-agentMake sure to add external ports to the firewall exception list.
To allow external ports outside the HTTPD context, run:
sudo setsebool -P httpd_can_network_connect 1See Also: For more information, see Using NGINX and NGINX Plus with SELinux.
- https://man7.org/linux/man-pages/man8/selinux.8.html
- https://www.redhat.com/en/topics/linux/what-is-selinux
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux
- https://wiki.centos.org/HowTos/SELinux
- https://wiki.gentoo.org/wiki/SELinux
- https://opensource.com/business/13/11/selinux-policy-guide
- https://www.nginx.com/blog/using-nginx-plus-with-selinux/