• Home
  • Dynatrace Managed
  • Installation
  • Enable or disable SELinux

Enable or disable SELinux

Dynatrace Managed version 1.222+

SELinux (Security-Enhanced Linux) is a Linux security kernel that acts as a protective agent on servers. It relies on mandatory access control (MAC) to restrict users to policies defined by the system administrator.

SELinux is available for most Linux distributions and is installed by default in newer Red Hat Enterprise Linux distributions.

Dynatrace Managed installation automatically discovers the SELinux mode status in your system and changes the SELinux context of files so Dynatrace Managed services can run successfully in enforcing mode. Installation of Dynatrace Managed on a SELinux system in enforcing mode requires that the semanage utility be available on your system. Installation will fail if the required package is missing.

  • For new installations, you aren't required to perform any additional steps.
  • For existing installations, after you enable SELinux you need to run the reconfigure.sh script:
    shell
    <PRODUCT_PATH>/installer/reconfigure.sh
  • For older versions, you need to change SELinux mode to permissive.

To enable or disable SELinux on your system, make sure that you have the semanage utility and other required packages installed.

Enable SELinux

To enable SELinux on your system, make sure you have the required packages installed:

  • policycoreutils
  • selinux-utils
  • selinux-basics

Also, make sure that you have activated SELinux on your system.

To set up SELinux in Ubuntu

  1. Use the apt command to install the following packages:

    shell
    sudo apt install policycoreutils selinux-utils selinux-basics
  2. Activate SELinux:

    shell
    sudo selinux-activate

    You should see:

    shell
    SE Linux is activated. You may need to reboot now.
  3. Set SELinux to enforcing mode:

    shell
    sudo selinux-config-enforcing
  4. Stop Dynatrace Managed services:

    shell
    ./dynatrace.sh stop

    See Start/stop/restart a node for details.

  5. Restart your system.
    SELinux relabelling will be triggered after you reboot your system. When finished, the system will reboot one more time automatically.

  6. Check the SELinux status:

    shell
    # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: default Current mode: enforcing Mode from config file: error (Success) Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 31
  7. Reconfigure Dynatrace Managed with SELinx enabled:

    shell
    <PRODUCT_PATH>/installer/reconfigure.sh

Disable SELinux

To disable SELinux

  1. Open up the /etc/selinux/config configuration file and change the SELINUX parameter value to disabled:

    shell
    SELINUX=disabled
  2. Stop Dynatrace Managed services:

    shell
    ./dynatrace.sh stop

    See Start/stop/restart a node for details.

  3. Reboot your system.

  4. Reconfigure Dynatrace Managed with SELinx disabled:

    shell
    <PRODUCT_PATH>/installer/reconfigure.sh

Operating system changes

The Dynatrace Managed installer performs the following changes to your system if SELinux mode is enforcing and custom paths are used for installation or storage:

File context is updated to usr_t for all Dynatrace Managed directories (binaries and storage) by executing the following commands, where /custom-dir/dynatrace-managed is a customized path for Dynatrace Managed installation or storage:

shell
semanage fcontext -a -t usr_t "/custom-dir/dynatrace-managed"
shell
semanage fcontext -a -t usr_t "/custom-dir/dynatrace-managed/.*"
shell
restorecon -R /custom-dir/dynatrace-managed