Configure SELinux

Legacy 'nms' references
Some commands, file paths, and configuration references still use nms due to the ongoing transition from NGINX Management Suite (NMS) to NGINX Instance Manager (NIM). These will be updated in future releases.

Overview

You can use the optional SELinux policy module included in the package to secure F5 NGINX Instance Manager operations with flexible, mandatory access control that follows the principle of least privilege.

The scope of the SELinux policy allows NGINX Instance Manager to perform all operations needed to support the default configuration. This includes inter-process communication on the default Unix sockets and TCP as an alternative. Other changes may require manual adjustments to the default policy for the application to work.

Important:
The SELinux policy module is optional. It is not loaded automatically during installation, even on SELinux-enabled systems. You must manually load the policy module using the steps below.

Before you begin

Take these preparatory steps before configuring SELinux:

1. Enable SELinux on your system.
2. Install the tools load_policy, semodule, and restorecon.
3. Install NGINX Instance Manager with SELinux module files in place.

Important:
SELinux can use permissive mode, where policy violations are logged instead of enforced. Verify which mode your configuration uses.

Install NGINX Instance Manager policy

The NGINX Instance Manager installer places SELinux policy files in these locations:

• /usr/share/selinux/packages/nms.pp - loadable binary policy module
• /usr/share/selinux/devel/include/contrib/nms.if - interface definitions file
• /usr/share/man/man8/nms_selinux.8.gz - policy man page

You can load and configure the SELinux policy using the following steps.

Load policy and set default labels

To load the SELinux policy included with NGINX Instance Manager:

1. Load the NGINX Instance Manager policy:

   sudo semodule -n -i /usr/share/selinux/packages/nms.pp
   sudo /usr/sbin/load_policy
   

2. Restore default SELinux labels for related files and directories:

   sudo restorecon -F -R /usr/bin/nms-core
   sudo restorecon -F -R /usr/bin/nms-dpm
   sudo restorecon -F -R /usr/bin/nms-ingestion
   sudo restorecon -F -R /usr/bin/nms-integrations
   sudo restorecon -F -R /usr/lib/systemd/system/nms.service
   sudo restorecon -F -R /usr/lib/systemd/system/nms-core.service
   sudo restorecon -F -R /usr/lib/systemd/system/nms-dpm.service
   sudo restorecon -F -R /usr/lib/systemd/system/nms-ingestion.service
   sudo restorecon -F -R /usr/lib/systemd/system/nms-integrations.service
   sudo restorecon -F -R /var/lib/nms/modules/manager.json
   sudo restorecon -F -R /var/lib/nms/modules.json
   sudo restorecon -F -R /var/lib/nms/streaming
   sudo restorecon -F -R /var/lib/nms
   sudo restorecon -F -R /var/lib/nms/dqlite
   sudo restorecon -F -R /var/run/nms
   sudo restorecon -F -R /var/lib/nms/modules
   sudo restorecon -F -R /var/log/nms
   

3. Restart NGINX Instance Manager services:

   sudo systemctl restart nms
   

Add ports to SELinux context

NGINX Instance Manager uses the nms_t context in the policy module. To add new TCP ports to this context:

1. Add TCP ports 10000 and 11000 to the nms_port_t context:

   sudo semanage port -a -t nms_port_t -p tcp 10000
   sudo semanage port -a -t nms_port_t -p tcp 11000
   

2. If the port context is already defined, use -m to modify it:

   sudo semanage port -m -t nms_port_t -p tcp 10000
   sudo semanage port -m -t nms_port_t -p tcp 11000
   

3. Verify the port has the correct label:

   seinfo --portcon=10000
   seinfo --portcon=11000
   

Remove ports from SELinux context

If you uninstall NGINX Instance Manager, remove the associated ports:

sudo semanage port -d -t nms_t 10000
sudo semanage port -d -t nms_t 11000

Enable SELinux for NGINX Agent

The following SELinux files are added when you install the NGINX Agent package:

• /usr/share/selinux/packages/nginx_agent.pp - loadable binary policy module
• /usr/share/selinux/devel/include/contrib/nginx_agent.if - interface definitions file
• /usr/share/man/man8/nginx_agent_selinux.8.gz - policy man page

To load the NGINX Agent policy, run:

sudo semodule -n -i /usr/share/selinux/packages/nginx_agent.pp
sudo /usr/sbin/load_policy
sudo restorecon -R /usr/bin/nginx-agent
sudo restorecon -R /var/log/nginx-agent
sudo restorecon -R /etc/nginx-agent

Add ports to NGINX Agent SELinux context

Make sure to add external ports to the firewall exception list.

To allow external ports outside the HTTPD context, run:

sudo setsebool -P httpd_can_network_connect 1

See Also:
For more information, see Using NGINX and NGINX Plus with SELinux.

Recommended Resources

• https://man7.org/linux/man-pages/man8/selinux.8.html
• https://www.redhat.com/en/topics/linux/what-is-selinux
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux
• https://wiki.centos.org/HowTos/SELinux
• https://wiki.gentoo.org/wiki/SELinux
• https://opensource.com/business/13/11/selinux-policy-guide
• https://www.nginx.com/blog/using-nginx-plus-with-selinux/