SELinux support

IMPORTANT

This guide only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel.

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls (MAC).

All official CentOS Linux builds come pre-configured with SELinux enabled and set to enforcement mode. There are two approaches to running the agent on a system with SELinux enabled:

  • Set SELinux to Permissive mode or disable SELinux completely
  • Configure SELinux to allow the module and agent to communicate

Determine if SELinux is enabled in enforcement mode

System administrators may not be aware that SELinux is installed until they encounter an error similar to the following when trying to connect the module to the agent:

2016/05/11 22:16:29 [crit] 3193#3193: *10 connect()
to unix:/var/run/sigsci.sock failed
(13: Permission denied), client: 192.0.2.209,
server: localhost, request: "GET /ping HTTP/1.1",
host: "192.0.2.209"

To check the status of SELinux, run the command sestatus, which produces output similar to the following:

$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

Set SELinux to Permissive mode or disable SELinux completely

The main configuration file for SELinux is /etc/selinux/config. Run the following command to view its contents:

$ cat /etc/selinux/config

The output will look something like this:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

You want to either disable or switch to permissive (logging) mode. A conservative first step may be changing the configuration line to SELINUX=permissive if you want to preserve the logging. You will then need to reboot the system entirely for this change to be applied and then verify the new status for SELinux with another sestatus command.

Configure SELinux to allow the module and agent to communicate

Assuming the system has SELinux in permissive or enforced mode and assuming the SELinux writes to the /var/log/audit/audit.log file (other Unix flavors potentially write it elsewhere):

  1. Log in as root to install the Next-Gen WAF agent and module.

  2. Restart the web server and start the agent.

  3. Browse the website to cause the module to invoke communications with the agent.

    • If in permissive mode, the audit log will get populated with messages of what would be blocked.
    • If in enforced mode, the same log messages will be appended to the audit log.
  4. From your home directory, run the following command to create a .te file and a .pp (policy package) file: cat /var/log/audit/audit.log | audit2allow -M sigsci > sigsci.te.

  5. Install the policy package file with semodule -i sigsci.pp.

  6. Verify the policy was installed and loaded by running the following command: semodule -l. The output will look something like this:

    ## Policy definition for SigSci Agent package on Rocky Linux 8
    ## Use make sigsci.pp (with a link to the SELinux policy devel Makefile)
    ## Requires policycoreutils-devel package
    ## make -f /usr/share/selinux/devel/Makefile sigsci.pp
    ## to create a module. Then run semodule -i sigsci.pp to install it
    policy_module(sigsci, 1.0)
    require {
    type httpd_t;
    }
    #============= httpd_t =============
    files_write_generic_pid_sockets(httpd_t)
  7. Restart the web server and Next-Gen WAF agent.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.