3.2.3.3.3 SELinux Secured Policy

Only applicable to MetaDefender Core version 4.19.0 or above.

By default, SELinux (Linux security system based on role access, available on RedHat and CentOS) does not protect the Nginx web server. The following instruction will help you setup and turn on the protection.

1.) First, install required SELinux compile-time support:

yum -y install selinux-policy-targeted selinux-policy-devel

2.) The download targeted SELinux policies to harden the Nginx web server on Linux servers from the

selinuxnginx project page:

cd /opt
wget 'http://downloads.sourceforge.net/project/selinuxnginx/se-ngix_1_0_10.tar.gz?use_mirror=nchc'

3.) Untar the same:

tar -zxvf se-ngix_1_0_10.tar.gz

4.) Compile the same

cd se-ngix_1_0_10/nginx
make

Sample output:

Compiling targeted nginx module
/usr/bin/checkmodule:  loading policy configuration from tmp/nginx.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 6) to tmp/nginx.mod
Creating targeted nginx.pp policy package
rm tmp/nginx.mod.fc tmp/nginx.mod

5.) Install the resulting nginx.pp SELinux module:

/usr/sbin/semodule -i nginx.pp