How to configure Agent Proxy on SELinux or RHEL

Security Enhanced Linux (SELinux) is a mandatory-access security tool that enables administrators to strictly define how processes are able to interact with system resources like files, directories, and sockets. For a thorough introduction to SELinux, see the RedHat SELinux page and the SELinux Wiki.

For SELinux users on RedHat Enterprise Linux, Aembit Edge Components ship with SELinux rules (.te) files when deployed to VM environments. Use .te files to create a custom SELinux policy.

On this page:

How to create a custom SELinux policy for Edge Components deployed on a RHEL 8 or RHEL 9 VM.
How to update your Edge Component’s policy in case SELinux raises violations.
How to migrate your existing Edge Component policy when updating the installed version your Edge Component.

Create an SELinux Policy

To configure SELinux to work with Aembit Edge Components, perform the following steps:

Install the requisite SELinux packages.

sudo dnf install -y selinux-policy-devel rpm-build

Create a new directory to contain the SELinux policy files.
Terminal window
```
mkdir ~/edge_component_policy
cd ~/edge_component_policy
```
The following steps use Agent Proxy as the example application. If you’re installing a policy for Agent Controller, replace occurrences of proxy with controller in script and/or directory names.
Use the selinux/generate_selinux_policy.sh script inside your Edge Component installer bundle to generate a new SELinux policy for the Edge Component.
~/edge_component_policy
```
sudo <path_to_installer_bundle>/selinux/generate_selinux_policy.sh
# e.g sudo /home/user/aembit_agent_proxy_linux_amd64_1.19.2326/selinux/generate_selinux_policy.sh
```
Note
Your current working directory should now contain a number of new files, including:
- aembit_agent_proxy.te
- aembit_agent_proxy.if
- aembit_agent_proxy.fc
- aembit_agent_proxy.sh
Copy the .te file for your RedHat version, located in the Edge Component installer bundle’s selinux directory, into the directory with the newly generated policy files.

This step replaces the generated aembit_agent_proxy.te file in your working directory with the one provided in the Edge Component installer bundle.
~/edge_component_policy
```
sudo cp <path_to_installer_bundle>/selinux/<RHEL_version>/aembit_agent_proxy.te .
# e.g sudo cp /home/user/aembit_agent_proxy_linux_amd64_1.19.2326/selinux/RHEL_9.3/aembit_agent_proxy.te .
```
Install the policy using the generated aembit_agent_proxy.sh shell script.
~/edge_component_policy
```
sudo ./aembit_agent_proxy.sh
```

Restart the Edge Component for the policy to take effect.

sudo systemctl restart aembit_agent_proxy
# or sudo systemctl restart aembit_agent_controller

Verify Agent Proxy is now running under SELinux.

ps -efZ | grep aembit_agent_proxy
# Sample output:
# system_u:system_r:aembit_agent_proxy_t:s0 [...] /opt/aembit/edge/agent_proxy/<version>/bin/aembit_agent_proxy
# ^^^^^^^^ ^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^ - SELinux-generated user, role, and type for the Agent Proxy binary

After completing the preceding steps, the Edge Component run under SELinux.

SELinux policy updates

SELinux may report violations if an Edge Component is run with non-default installation options or with unique workloads. If this occurs, follow these steps to update the SELinux policy and allow the Edge Component to access the needed resources.

Change to the directory where you initially generated the SELinux policy files for your Edge Component (if you followed along from the previous section, this was ~/edge_component_policy).
Terminal window
```
cd ~/edge_component_policy
```
Update the rules (.te) file to account for new violations by running the previously generated installation script with the --update flag.
Terminal window
```
sudo ./aembit_agent_proxy.sh --update
```
Restart the Edge Component for the policy updates to take effect.
Terminal window
```
sudo systemctl restart aembit_agent_proxy
```

It can be useful in some situations to check for violations without committing to a policy update. You can do this with the ausearch tool:

# get the last time at which the policy was updated
last_update_time=`ls -l --time-style="+%x %T" aembit_agent_proxy.te | awk '{ printf "%s %s", $6, $7 }'`

# query SELinux for violations
ausearch --start $last_update_time -m avc --raw -se aembit_agent_proxy

Edge Component version upgrades

When installing a new version of an Edge Component that’s monitored by SELinux, you may choose to re-use your existing rules (.te) file from a previous policy installation, or you can install a new policy from scratch using the .te file provided in the Edge Component’s installation bundle. Both options lead to a fully functioning SELinux policy.

To create a new policy using the rules (.te) file provided in the new Edge Component’s installer bundle, follow the steps outlined in the policy creation section.
To create a new policy using your existing rules (.te) file, follow the steps in the policy creation section, but use your previous .te file instead of the supplied one in the Edge Component’s installation bundle.