Configure SELinux
You can use the optional SELinux policy module included in the package to secure F5 NGINX Agent operations with flexible, mandatory access control that follows the principle of least privilege.
The SELinux policy module is optional. It is not loaded automatically during installation, even on SELinux-enabled systems. You must manually load the policy module using the steps below.
Take these preparatory steps before configuring SELinux:
- Enable SELinux on your system.
- Install the tools load_policy,semodule, andrestorecon.
- Install NGINX Agent with SELinux module files in place.
SELinux can usepermissivemode, where policy violations are logged instead of enforced. Verify which mode your configuration uses.
The following SELinux files are added when you install the NGINX Agent package:
- /usr/share/selinux/packages/nginx_agent.pp- loadable binary policy module
- /usr/share/selinux/devel/include/contrib/nginx_agent.if- interface definitions file
- /usr/share/man/man8/nginx_agent_selinux.8.gz- policy man page
To load the NGINX Agent policy, run the following commands as root:
sudo semodule -n -i /usr/share/selinux/packages/nginx_agent.pp
sudo /usr/sbin/load_policy
sudo restorecon -R /usr/bin/nginx-agent
sudo restorecon -R /var/log/nginx-agent
sudo restorecon -R /etc/nginx-agentMake sure to add external ports to the firewall exception list.
To allow external ports outside the HTTPD context, run:
sudo setsebool -P httpd_can_network_connect 1For more information, see Using NGINX and NGINX Plus with SELinux.
- https://man7.org/linux/man-pages/man8/selinux.8.html
- https://www.redhat.com/en/topics/linux/what-is-selinux
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux
- https://wiki.centos.org/HowTos/SELinux
- https://wiki.gentoo.org/wiki/SELinux
- https://opensource.com/business/13/11/selinux-policy-guide
- https://www.nginx.com/blog/using-nginx-plus-with-selinux/