Enable or disable SELinux

Dynatrace Managed version 1.222+

SELinux (Security-Enhanced Linux) is a Linux security kernel that acts as a protective agent on servers. It relies on mandatory access control (MAC) to restrict users to policies defined by the system administrator.

SELinux is available for most Linux distributions and is installed by default in newer Red Hat Enterprise Linux distributions.

Dynatrace Managed installation automatically discovers the SELinux mode status in your system and changes the SELinux context of files so Dynatrace Managed services can run successfully in enforcing mode. Installation of Dynatrace Managed on a SELinux system in enforcing mode requires that the semanage utility be available on your system. Installation will fail if the required package is missing.

  • For new installations, you aren't required to perform any additional steps.
  • For existing installations, after you enable SELinux you need to run the reconfigure.sh script:
    <PRODUCT_PATH>/installer/reconfigure.sh
    
  • For older versions, you need to change SELinux mode to permissive.

To enable or disable SELinux on your system, make sure that you have the semanage utility and other required packages installed.

Enable SELinux

To enable SELinux on your system, make sure you have the required packages installed:

  • policycoreutils
  • selinux-utils
  • selinux-basics

Also, make sure that you have activated SELinux on your system.

To set up SELinux in Ubuntu

  1. Use the apt command to install the following packages:

    # sudo apt install policycoreutils selinux-utils selinux-basics
    
  2. Activate SELinux:

    # sudo selinux-activate
    

    You should see:

    SE Linux is activated. You may need to reboot now.
    
  3. Set SELinux to enforcing mode:

    # sudo selinux-config-enforcing
    
  4. Stop Dynatrace Managed services:

    # ./dynatrace.sh stop
    

    See Start/stop/restart a cluster for details.

  5. Restart your system.
    SELinux relabelling will be triggered after you reboot your system. When finished, the system will reboot one more time automatically.

  6. Check the SELinux status:

    # sestatus 
    SELinux status:                 enabled
    SELinuxfs mount:                /sys/fs/selinux
    SELinux root directory:         /etc/selinux
    Loaded policy name:             default
    Current mode:                   enforcing
    Mode from config file:          error (Success)
    Policy MLS status:              enabled
    Policy deny_unknown status:     allowed
    Memory protection checking:     requested (insecure)
    Max kernel policy version:      31
    
  7. Reconfigure Dynatrace Managed with SELinx enabled:

    <PRODUCT_PATH>/installer/reconfigure.sh
    

Disable SELinux

To disable SELinux

  1. Open up the /etc/selinux/config configuration file and change the SELINUX parameter value to disabled:

    SELINUX=disabled
    
  2. Stop Dynatrace Managed services:

    # ./dynatrace.sh stop
    

    See Start/stop/restart a cluster for details.

  3. Reboot your system.

  4. Reconfigure Dynatrace Managed with SELinx disabled:

    <PRODUCT_PATH>/installer/reconfigure.sh
    

Operating system changes

The Dynatrace Managed installer performs the following changes to your system if SELinux mode is enforcing and custom paths are used for installation or storage:

File context is updated to usr_t for all Dynatrace Managed directories (binaries and storage) by executing the following commands, where /custom-dir/dynatrace-managed is a customized path for Dynatrace Managed installation or storage:

# semanage fcontext -a -t usr_t "/custom-dir/dynatrace-managed"
# semanage fcontext -a -t usr_t "/custom-dir/dynatrace-managed/.*"
# restorecon -R /custom-dir/dynatrace-managed