Skip to content

Add NGINX Agent v3.0 SELinux configuration guide #342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: agent-release-3.0
Choose a base branch
from
Open

Add NGINX Agent v3.0 SELinux configuration guide #342

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions content/agent/how-to/how-to-configure-selinux.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
title: Configure SELinux
weight: 600
---

## Overview

You can use the optional SELinux policy module included in the package to secure F5 NGINX Agent operations with flexible, mandatory access control that follows the principle of least privilege.

{{< important >}}The SELinux policy module is optional. It is not loaded automatically during installation, even on SELinux-enabled systems. You must manually load the policy module using the steps below.{{< /important >}}

---

## Before you begin

Take these preparatory steps before configuring SELinux:

1. Enable SELinux on your system.
2. Install the tools `load_policy`, `semodule`, and `restorecon`.
3. [Install NGINX Agent]({{< rel "/agent/install-upgrade/install.md" >}}) with SELinux module files in place.

{{< important >}}SELinux can use `permissive` mode, where policy violations are logged instead of enforced. Verify which mode your configuration uses.{{< /important >}}

---

## Enable SELinux for NGINX Agent {#selinux-agent}

The following SELinux files are added when you install the NGINX Agent package:

- `/usr/share/selinux/packages/nginx_agent.pp` - loadable binary policy module
- `/usr/share/selinux/devel/include/contrib/nginx_agent.if` - interface definitions file
- `/usr/share/man/man8/nginx_agent_selinux.8.gz` - policy man page

To load the NGINX Agent policy, run:

{{< include "installation/agent-selinux.md" >}}

{{<see-also>}}For more information, see [Using NGINX and NGINX Plus with SELinux](https://www.nginx.com/blog/using-nginx-plus-with-selinux/).{{</see-also>}}

---

## Recommended Resources

- <https://man7.org/linux/man-pages/man8/selinux.8.html>
- <https://www.redhat.com/en/topics/linux/what-is-selinux>
- <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux>
- <https://wiki.centos.org/HowTos/SELinux>
- <https://wiki.gentoo.org/wiki/SELinux>
- <https://opensource.com/business/13/11/selinux-policy-guide>
- <https://www.nginx.com/blog/using-nginx-plus-with-selinux/>
Loading