Configure SELinux

  • How-to guide
  • 3-min read

SELinux (Security-Enhanced Linux) is a Linux kernel security module that uses mandatory access control (MAC) to restrict processes and users to policies defined by the system administrator. It is available for most Linux distributions and enabled by default on newer Red Hat Enterprise Linux distributions.

Dynatrace Managed automatically detects the SELinux mode during installation and applies the correct file contexts so its services can run in enforcing mode. This requires the semanage utility to be installed on your system. Installation fails if the package is missing.

  • New installations — no additional steps required.
  • Existing installations — after enabling SELinux, run the reconfigure.sh script: 
    /opt/dynatrace-managed/installer/reconfigure.sh
  • Older versions — change SELinux mode to permissive.

Enable SELinux

Before enabling SELinux, make sure the following packages are installed on your system:

  • policycoreutils
  • selinux-utils
  • selinux-basics

The steps below use Ubuntu as an example.

  1. Use the apt command to install the following packages:

    sudo apt install policycoreutils selinux-utils selinux-basics

  2. Activate SELinux:

    sudo selinux-activate

    You should see:

    SE Linux is activated. You may need to reboot now.

  3. Set SELinux to enforcing mode:

    sudo selinux-config-enforcing

  4. Stop Dynatrace Managed services:

    ./dynatrace.sh stop

    See Start/stop/restart a node for details.

  5. Restart your system.
    SELinux relabelling will be triggered after you reboot your system. When finished, the system will reboot one more time automatically.

  6. Check the SELinux status:

    # sestatus
    SELinux status:                 enabled
    SELinuxfs mount:                /sys/fs/selinux
    SELinux root directory:         /etc/selinux
    Loaded policy name:             default
    Current mode:                   enforcing
    Mode from config file:          error (Success)
    Policy MLS status:              enabled
    Policy deny_unknown status:     allowed
    Memory protection checking:     requested (insecure)
    Max kernel policy version:      31

  7. Reconfigure Dynatrace Managed with SELinux enabled:

    /opt/dynatrace-managed/installer/reconfigure.sh

Disable SELinux

To disable SELinux, follow these steps:

  1. Open /etc/selinux/config and set SELINUX to disabled:

    SELINUX=disabled

  2. Stop Dynatrace Managed services:

    ./dynatrace.sh stop

    See Start/stop/restart a node for details.

  3. Reboot your system.

  4. Reconfigure Dynatrace Managed with SELinux disabled:

    /opt/dynatrace-managed/installer/reconfigure.sh

Operating system changes

If SELinux is in enforcing mode and custom paths are used for installation or storage, the Managed installer updates the file context of all Dynatrace Managed directories to usr_t. For a custom path /custom-dir/dynatrace-managed, it runs:

semanage fcontext -a -t usr_t "/custom-dir/dynatrace-managed"
semanage fcontext -a -t usr_t "/custom-dir/dynatrace-managed/.*"
restorecon -R /custom-dir/dynatrace-managed