SELinux is a security mechanism that works on top of the native file and directory read/write/execute permissions within the Linux file system. It is available for most Linux distributions and is installed by default in newer RHEL (Red Hat Enterprise Linux) & Fedora distributions.
As SELinux may prevent the installation and/or operation of any software being executed, ensure that you create appropriate policy file for it.
Ensure that you consult with your security team to determine the correct level of access for the APM.
SELinux allows you to set a finer granularity of restrictions on access and execution. This control is represented by "policy files", typically created and maintained by the SecOps team within your organization. For more details about SELinux, see https://selinuxproject.org/page/Main_Page.
The policy files are found in /etc/sestatus.conf
by default. To determine if SELinux exists on your system, run the getenforce
command which returns the string Enforcing
if it is active.
Alternatively, you can run this command:
sestatus
which generates this output:
SELinux status: enabled
SELinuxfs mount: /selinux
Current Mode: permissive
Policy version: 16
sestatus
CODE
If SELinux status
is disabled
, it indicates that the system has not installed the package. However, if the status returned is enabled
, but the Current Mode
is permissive
, then SELinux policy files are not enforced. To install and test the APM Agent:
- Set the mode to permissive and then enable it
- Follow the SELinux guidelines to create the appropriate policy statements for the agent in question