Configure SELinux

Overview

You can use the optional SELinux policy module included in the package to secure F5 NGINX Management Suite operations with flexible, mandatory access control that follows the principle of least privilege.

The scope of the SELinux policy allows NGINX Management Suite to perform all operations needed to support the default configuration. This includes inter-process communication on the default Unix sockets and TCP as an alternative. Other changes may require manual adjustments to the default policy for the application to work.

Important:
The attached SELinux policy module is optional. As such, the module is not loaded automatically during installation even on SELinux-enabled systems. You must manually load the policy module as detailed in the following steps.

Before You Begin

To complete this tutorial, take the following preparatory steps:

  1. Enable SELinux on your system.
  2. Install the following tools: load_policy, semodule, and restorecon.
  3. Install NGINX Management Suite with SELinux module files in place.
Important:
SELinux can be configured to use permissive mode. In permissive mode, policy violations are logged instead of enforced. Make sure you know which mode your SELinux configuration uses.

Install NGINX Management Suite Policy

The NGINX Management Suite installer places the SELinux policy files in the following locations:

  • /usr/share/selinux/packages/nms.pp - loadable binary policy module
  • /usr/share/selinux/devel/include/contrib/nms.if - interface definitions file
  • /usr/share/man/man8/nms_selinux.8.gz - policy man page

You can interact with these files to learn about the policy. See the following section for steps on how to load the policy.

Load Policy and Set Default Labels

To use the SELinux policy that’s included with NGINX Management Suite, take the following steps:

  1. Load the NGINX Management Suite policy:

    sudo semodule -n -i /usr/share/selinux/packages/nms.pp
    sudo /usr/sbin/load_policy
    
  2. Run the following commands to restore the default SELinux labels for the files and directories related to NGINX Management suite:

    sudo restorecon -F -R /usr/bin/nms-core
    sudo restorecon -F -R /usr/bin/nms-dpm
    sudo restorecon -F -R /usr/bin/nms-ingestion
    sudo restorecon -F -R /usr/bin/nms-integrations
    sudo restorecon -F -R /usr/lib/systemd/system/nms.service
    sudo restorecon -F -R /usr/lib/systemd/system/nms-core.service
    sudo restorecon -F -R /usr/lib/systemd/system/nms-dpm.service
    sudo restorecon -F -R /usr/lib/systemd/system/nms-ingestion.service
    sudo restorecon -F -R /usr/lib/systemd/system/nms-integrations.service
    sudo restorecon -F -R /var/lib/nms/modules/manager.json
    sudo restorecon -F -R /var/lib/nms/modules.json
    sudo restorecon -F -R /var/lib/nms/streaming
    sudo restorecon -F -R /var/lib/nms
    sudo restorecon -F -R /var/lib/nms/dqlite
    sudo restorecon -F -R /var/run/nms
    sudo restorecon -F -R /var/lib/nms/modules
    sudo restorecon -F -R /var/log/nms
    
  3. Restart the NGINX Management Suite services:

    sudo systemctl restart nms
    

Add Ports to SELinux Context

NGINX Management Suite uses the nms_t context in the policy module. The following example shows how to add a new port to the context. You should add external ports to the firewall exception list. Note, as a system admin, you’re responsible for any custom configurations that differ from the default policy.

To add TCP ports 10000 and 11000 to the nmx_t context, run the following commands:

sudo semanage port -a -t nms_port_t -p tcp 10000
sudo semanage port -a -t nms_port_t -p tcp 11000

If you’ve already defined the port context, use -m:

sudo semanage port -m -t nms_port_t -p tcp 10000
sudo semanage port -m -t nms_port_t -p tcp 11000

Verify the port has the correct label by running the the following seinfo --portcon commands:

$ seinfo --portcon=10000

Portcon: 4
   portcon sctp 1024-65535 system_u:object_r:unreserved_port_t:s0
   portcon tcp 10000 system_u:object_r:nms_port_t:s0
   portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
   portcon udp 1024-32767 system_u:object_r:unreserved_port_t:s0

$ seinfo --portcon=11000

Portcon: 4
   portcon sctp 1024-65535 system_u:object_r:unreserved_port_t:s0
   portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
   portcon tcp 11000 system_u:object_r:nms_port_t:s0
   portcon udp 1024-32767 system_u:object_r:unreserved_port_t:s0

Remove Ports from SELinux Context

If you uninstall NGINX Management Suite, you should remove the ports. To do this, run the following commands:

sudo semanage port -d -t nms_t 10000
sudo semanage port -d -t nms_t 11000

Enabling SELinux for NGINX Agent

The following SELinux files are added when installing the NGINX Agent package:

  • /usr/share/selinux/packages/nginx_agent.pp - loadable binary policy module
  • /usr/share/selinux/devel/include/contrib/nginx_agent.if - interface definitions file
  • /usr/share/man/man8/nginx_agent_selinux.8.gz - policy man page

To load the NGINX Agent policy, run the following commands:

sudo semodule -n -i /usr/share/selinux/packages/nginx_agent.pp
sudo /usr/sbin/load_policy
sudo restorecon -R /usr/bin/nginx-agent
sudo restorecon -R /var/log/nginx-agent
sudo restorecon -R /etc/nginx-agent

Add Ports to NGINX Agent SELinux Context

You can configure the NGINX Agent to work with SELinux. Make sure you add external ports to the firewall exception list.

The following example shows how to allow external ports outside the HTTPD context. You may need to enable NGINX to connect to these ports.

sudo setsebool -P httpd_can_network_connect 1
See Also:
For additional information on using NGINX with SELinux, refer to the guide Using NGINX and NGINX Plus with SELinux.


Last modified August 22, 2024