• F5

    Deliver and secure every app

  • DevCentral

    Connect & learn in our hosted community

  • MyF5

    Your key to everything F5, including support, registration keys, and subscriptions

  • NGINX

    Learn more about NGINX Open Source and read the community blog

  • Community Forum

    Engage with the broader NGINX community for discussions and troubleshooting

Configure SELinux

The default settings for Security-Enhanced Linux (SELinux) on modern Red Hat Enterprise Linux (RHEL) and related distros can be very strict, erring on the side of security rather than convenience.

To ensure F5 WAF for NGINX operates smoothly without compromising security, consider setting up a custom SELinux policy or AppArmor profile.

For troubleshooting, you may use permissive (SELinux) or complain (AppArmor) mode to avoid these restrictions, but this is inadvisable for prolonged use.

Although F5 WAF for NGINX provides an optional package with prebuilt a SELinux policy (app-protect-selinux), your specific configuration might be blocked unless you adjust the policy or modify file labels.

Modifying file labels

If you plan to store your security policy files in an alternative folder such as /etc/security_policies, you should change the default SELinux file context:

shell
semanage fcontext -a -t nap-compiler_conf_t /etc/security_policies
restorecon -Rv /etc/security_policies

Redirecting syslog to a custom port

If you want to send logs to a custom, unreserved port, you can use semanage to add the desired port to the syslogd_port_t type:

semanage port -a -t syslogd_port_t -p tcp <your-port>

Review the syslog ports by entering the following command:

semanage port -l | grep syslog

For more information related to syslog, see the Security logs topic.

View source
Edit this page
Create a new issue