nginx · JTorreG · Jun 12, 2025 · Jun 12, 2025 · Jun 12, 2025 · Jun 12, 2025
@@ -0,0 +1,17 @@
+---
+docs:
+files:
+  - content/nginx-one/agent/configure-instance-reporting/configure-selinux.md
+  - content/nim/system-configuration/configure-selinux.md
+  - content/nms/nginx-agent/install-nginx-agent.md
+---
+
+Make sure to add external ports to the firewall exception list.
+
+To allow external ports outside the HTTPD context, run:
+
+```bash
+sudo setsebool -P httpd_can_network_connect 1
+```
+
+{{<see-also>}}For more information, see [Using NGINX and NGINX Plus with SELinux](https://www.nginx.com/blog/using-nginx-plus-with-selinux/).{{</see-also>}}
@@ -0,0 +1,23 @@
+---
+docs:
+files:
+   - content/nginx-one/agent/configure-instance-reporting/configure-selinux.md
+   - content/nim/system-configuration/configure-selinux.md
+   - content/nms/nginx-agent/install-nginx-agent.md
+---
+
+The following SELinux files are added when you install the NGINX Agent package:
+
+- `/usr/share/selinux/packages/nginx_agent.pp` - loadable binary policy module
+- `/usr/share/selinux/devel/include/contrib/nginx_agent.if` - interface definitions file
+- `/usr/share/man/man8/nginx_agent_selinux.8.gz` - policy man page
+
+To load the NGINX Agent policy, run the following commands as root:
+
+```bash
+sudo semodule -n -i /usr/share/selinux/packages/nginx_agent.pp
+sudo /usr/sbin/load_policy
+sudo restorecon -R /usr/bin/nginx-agent
+sudo restorecon -R /var/log/nginx-agent
+sudo restorecon -R /etc/nginx-agent
+```
@@ -0,0 +1,43 @@
+---
+title: Configure SELinux
+weight: 600
+toc: true
+---
+
+## Overview
+
+You can use the optional SELinux policy module included in the package to secure F5 NGINX Agent operations with flexible, mandatory access control that follows the principle of least privilege.
+
+{{< important >}}The SELinux policy module is optional. It is not loaded automatically during installation, even on SELinux-enabled systems. You must manually load the policy module using the steps below.{{< /important >}}
+
+## Before you begin
+
+Take these preparatory steps before configuring SELinux:
+
+1. Enable SELinux on your system.
+2. Install the tools `load_policy`, `semodule`, and `restorecon`.
+3. [Install NGINX Agent]({{< ref "/nginx-one/agent/install-upgrade/_index.md" >}}) with SELinux module files in place.
+
+{{< important >}}SELinux can use `permissive` mode, where policy violations are logged instead of enforced. Verify which mode your configuration uses.{{< /important >}}
+
+---
+
+## Enable SELinux for NGINX Agent {#selinux-agent}
+
+{{< include "/installation/enable-agent-selinux.md" >}}
+
+### Add ports to NGINX Agent SELinux context
+
+{{< include "/installation/add-ports-agent-selinux.md" >}}
+
+---
+
+## Recommended Resources
+
+- <https://man7.org/linux/man-pages/man8/selinux.8.html>
+- <https://www.redhat.com/en/topics/linux/what-is-selinux>
+- <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux>
+- <https://wiki.centos.org/HowTos/SELinux>
+- <https://wiki.gentoo.org/wiki/SELinux>
+- <https://opensource.com/business/13/11/selinux-policy-guide>
+- <https://www.nginx.com/blog/using-nginx-plus-with-selinux/>
@@ -118,27 +118,11 @@ sudo semanage port -d -t nms_t 11000
 
 ## Enable SELinux for NGINX Agent {#selinux-agent}
 
-The following SELinux files are added when you install the NGINX Agent package:
-
-- `/usr/share/selinux/packages/nginx_agent.pp` - loadable binary policy module
-- `/usr/share/selinux/devel/include/contrib/nginx_agent.if` - interface definitions file
-- `/usr/share/man/man8/nginx_agent_selinux.8.gz` - policy man page
-
-To load the NGINX Agent policy, run:
-
-{{< include "installation/agent-selinux.md" >}}
+{{< include "/installation/enable-agent-selinux.md" >}}
 
 ### Add ports to NGINX Agent SELinux context
 
-Make sure to add external ports to the firewall exception list.
-
-To allow external ports outside the HTTPD context, run:
-
-```bash
-sudo setsebool -P httpd_can_network_connect 1
-```
-
-{{<see-also>}}For more information, see [Using NGINX and NGINX Plus with SELinux](https://www.nginx.com/blog/using-nginx-plus-with-selinux/).{{</see-also>}}
+{{< include "/installation/add-ports-agent-selinux.md" >}}
 
 ---
 

@@ -400,31 +400,11 @@ Additionally, you can use the agent installation script to add these fields:
 
 ## SELinux for NGINX Agent
 
-This section explains how to install and configure the SELinux policy for NGINX Agent.
+{{< include "/installation/enable-agent-selinux.md" >}}
 
-### Installing NGINX Agent SELinux Policy Module
+### Add ports to NGINX Agent SELinux context
 
-The NGINX Agent package includes the following SELinux files:
-
-- `/usr/share/man/man8/nginx_agent_selinux.8.gz`
-- `/usr/share/selinux/devel/include/contrib/nginx_agent.if`
-- `/usr/share/selinux/packages/nginx_agent.pp`
-
-To load the NGINX Agent policy, run the following commands:
-
-{{< include "installation/agent-selinux.md" >}}
-
-### Adding Ports for NGINX Agent SELinux Context
-
-You can configure NGINX Agent to work with SELinux. Make sure you add external ports to the firewall exception list.
-
-The following example shows how to allow external ports outside the HTTPD context. You may need to enable NGINX to connect to these ports.
-
-```bash
-sudo setsebool -P httpd_can_network_connect 1
-```
-
-For additional information on using NGINX with SELinux, refer to the guide [Using NGINX and NGINX Plus with SELinux](https://www.nginx.com/blog/using-nginx-plus-with-selinux/).
+{{< include "/installation/add-ports-agent-selinux.md" >}}
 
 ---