Enable or disable SELinux

Dynatrace Managed version 1.222+

SELinux (Security-Enhanced Linux) is a Linux security kernel that acts as a protective agent on servers. It relies on mandatory access control (MAC) to restrict users to policies defined by the system administrator.

SELinux is available for most Linux distributions and is installed by default in newer Red Hat Enterprise Linux distributions.

Dynatrace Managed installation automatically discovers the SELinux mode status in your system and changes the SELinux context of files so Dynatrace Managed services can run successfully in enforcing mode. Installation of Dynatrace Managed on a SELinux system in enforcing mode requires that the semanage utility be available on your system. Installation will fail if the required package is missing.

• For new installations, you aren't required to perform any additional steps.
• For existing installations, after you enable SELinux you need to run the reconfigure.sh script:

  shellcopydownload
  <PRODUCT_PATH>/installer/reconfigure.sh

• For older versions, you need to change SELinux mode to permissive.

To enable or disable SELinux on your system, make sure that you have the semanage utility and other required packages installed.

Enable SELinux

To enable SELinux on your system, make sure you have the required packages installed:

• policycoreutils
• selinux-utils
• selinux-basics

Also, make sure that you have activated SELinux on your system.

To set up SELinux in Ubuntu

1. Use the apt command to install the following packages:

   shellcopydownload
   sudo apt install policycoreutils selinux-utils selinux-basics

2. Activate SELinux:

   shellcopydownload
   sudo selinux-activate

   You should see:

   shellcopydownload
   SE Linux is activated. You may need to reboot now.

3. Set SELinux to enforcing mode:

   shellcopydownload
   sudo selinux-config-enforcing

4. Stop Dynatrace Managed services:

   shellcopydownload
   ./dynatrace.sh stop

   See Start/stop/restart a node for details.

5. Restart your system.
   SELinux relabelling will be triggered after you reboot your system. When finished, the system will reboot one more time automatically.

6. Check the SELinux status:

   shellcopydownload
   # sestatus
   SELinux status:                 enabled
   SELinuxfs mount:                /sys/fs/selinux
   SELinux root directory:         /etc/selinux
   Loaded policy name:             default
   Current mode:                   enforcing
   Mode from config file:          error (Success)
   Policy MLS status:              enabled
   Policy deny_unknown status:     allowed
   Memory protection checking:     requested (insecure)
   Max kernel policy version:      31

7. Reconfigure Dynatrace Managed with SELinx enabled:

   shellcopydownload
   <PRODUCT_PATH>/installer/reconfigure.sh

Disable SELinux

To disable SELinux

1. Open up the /etc/selinux/config configuration file and change the SELINUX parameter value to disabled:

   shellcopydownload
   SELINUX=disabled

2. Stop Dynatrace Managed services:

   shellcopydownload
   ./dynatrace.sh stop

   See Start/stop/restart a node for details.

3. Reboot your system.

4. Reconfigure Dynatrace Managed with SELinx disabled:

   shellcopydownload
   <PRODUCT_PATH>/installer/reconfigure.sh

Operating system changes

The Dynatrace Managed installer performs the following changes to your system if SELinux mode is enforcing and custom paths are used for installation or storage:

File context is updated to usr_t for all Dynatrace Managed directories (binaries and storage) by executing the following commands, where /custom-dir/dynatrace-managed is a customized path for Dynatrace Managed installation or storage:

shellcopydownload
semanage fcontext -a -t usr_t "/custom-dir/dynatrace-managed"

shellcopydownload
semanage fcontext -a -t usr_t "/custom-dir/dynatrace-managed/.*"

shellcopydownload
restorecon -R /custom-dir/dynatrace-managed