Dynatrace Managed version 1.222+
SELinux (Security-Enhanced Linux) is a Linux security kernel that acts as a protective agent on servers. It relies on mandatory access control (MAC) to restrict users to policies defined by the system administrator.
SELinux is available for most Linux distributions and is installed by default in newer Red Hat Enterprise Linux distributions.
Dynatrace Managed installation automatically discovers the SELinux mode status in your system and changes the SELinux context of files so Dynatrace Managed services can run successfully in enforcing
mode. Installation of Dynatrace Managed on a SELinux system in enforcing
mode requires that the semanage
utility be available on your system. Installation will fail if the required package is missing.
reconfigure.sh
script:
<PRODUCT_PATH>/installer/reconfigure.sh
permissive
.To enable or disable SELinux on your system, make sure that you have the semanage
utility and other required packages installed.
To enable SELinux on your system, make sure you have the required packages installed:
policycoreutils
selinux-utils
selinux-basics
Also, make sure that you have activated SELinux on your system.
To set up SELinux in Ubuntu
Use the apt
command to install the following packages:
sudo apt install policycoreutils selinux-utils selinux-basics
Activate SELinux:
sudo selinux-activate
You should see:
SE Linux is activated. You may need to reboot now.
Set SELinux to enforcing mode:
sudo selinux-config-enforcing
Stop Dynatrace Managed services:
./dynatrace.sh stop
See Start/stop/restart a node for details.
Restart your system.
SELinux relabelling will be triggered after you reboot your system. When finished, the system will reboot one more time automatically.
Check the SELinux status:
# sestatusSELinux status: enabledSELinuxfs mount: /sys/fs/selinuxSELinux root directory: /etc/selinuxLoaded policy name: defaultCurrent mode: enforcingMode from config file: error (Success)Policy MLS status: enabledPolicy deny_unknown status: allowedMemory protection checking: requested (insecure)Max kernel policy version: 31
Reconfigure Dynatrace Managed with SELinx enabled:
<PRODUCT_PATH>/installer/reconfigure.sh
To disable SELinux
Open up the /etc/selinux/config
configuration file and change the SELINUX
parameter value to disabled
:
SELINUX=disabled
Stop Dynatrace Managed services:
./dynatrace.sh stop
See Start/stop/restart a node for details.
Reboot your system.
Reconfigure Dynatrace Managed with SELinx disabled:
<PRODUCT_PATH>/installer/reconfigure.sh
The Dynatrace Managed installer performs the following changes to your system if SELinux mode is enforcing
and custom paths are used for installation or storage:
File context is updated to usr_t
for all Dynatrace Managed directories (binaries and storage) by executing the following commands, where /custom-dir/dynatrace-managed
is a customized path for Dynatrace Managed installation or storage:
semanage fcontext -a -t usr_t "/custom-dir/dynatrace-managed"
semanage fcontext -a -t usr_t "/custom-dir/dynatrace-managed/.*"
restorecon -R /custom-dir/dynatrace-managed