SELinux Configuration
Workbench | Preview
This feature is in preview. Preview features are unsupported and may face breaking changes in a future release. Any issues found in the feature will be addressed during the regular release schedule; they will not result in immediate patches or hotfixes.
We encourage customers to try these features and we welcome any feedback via Posit Support, but we recommend that the feature not be used in production until it is in general availability (i.e., officially released as a full feature). To provide feedback, please email your Posit Customer Success representative or sales@posit.co and specify that you are trialing this feature.
To support SELinux enforcing mode with Posit Workbench, you must install an SELinux policy module. This policy module defines the set of permissions that the software requires to function.
If you are installing Workbench for the first time, then install the policy module before installing any other Workbench packages to avoid errors when starting rstudio-server
, starting rstudio-launcher
, or starting a session. If you have an existing installation of Workbench and want to use SELinux, install the policy module before enabling SELinux enforcing mode.
The following procedure assumes that you already have SELinux configured and working on your server.
Step 1: Install the SELinux policy module
Depending on your base policy, there are two ways to install the policy module:
- If you are using the default SELinux base policy on Red Hat, Debian, or Ubuntu, then you can install the
rstudio-workbench-selinux
package. Continue with the Download and install section below. - If you are using a customized base policy, then you might need to compile the policy module from source. Skip to Building from source below for instructions.
Download and install
These policy modules are compatible with the base policy provided by the selinux-policy-targeted
package.
RHEL 9
$ curl -O https://download2.rstudio.org/server/rhel9/noarch/rstudio-workbench-selinux-rhel9-2025.05.0-noarch.rpm
$ sudo yum install rstudio-workbench-selinux-rhel9-2025.05.0-noarch.rpm
RHEL 8
$ curl -O https://download2.rstudio.org/server/rhel8/noarch/rstudio-workbench-selinux-rhel8-2025.05.0-noarch.rpm
$ sudo yum install rstudio-workbench-selinux-rhel8-2025.05.0-noarch.rpm
These policy modules are compatible with the base policy provided by the selinux-policy-default
package.
Ubuntu 24 / 22 | Debian 12
$ sudo apt-get install gdebi-core
$ curl -O https://download2.rstudio.org/server/jammy/all/rstudio-workbench-selinux-jammy-2025.05.0-all.deb
$ sudo gdebi rstudio-workbench-selinux-jammy-2025.05.0-all.deb
Ubuntu 20
$ sudo apt-get install gdebi-core
$ curl -O https://download2.rstudio.org/server/focal/all/rstudio-workbench-selinux-focal-2025.05.0-all.deb
$ sudo gdebi rstudio-workbench-selinux-focal-2025.05.0-all.deb
SUSE Enterprise Linux and openSUSE support SELinux. However, SUSE doesn’t provide a base SELinux policy. According to the documentation:
A policy is not included, and you must build your own. Third-party policies are not supported.
For more information on SUSE’s SELinux support, see the SUSE Enterprise Linux - Configuring SELinux or OpenSUSE - Configuring SELinux documentation.
You will need to build the policy module from source to use Workbench in enforcing mode.
Building from source
If you are using Workbench with an SELinux base policy other than the default policy shipped by one of the supported Linux distributions, or if attempting to load the packaged policy module results in errors, then you must build a policy module from source.
The following procedures assume that you have SELinux already configured. Consult the documentation for your Linux distribution for more information about building an SELinux policy module.
Install the SELinux development tools for your distribution:
- On Red Hat or SUSE, install:
selinux-policy-devel
- On Debian or Ubuntu, install:
selinux-policy-dev
- On Red Hat or SUSE, install:
Download and unpack the sample policy source code.
Review the comments and
define
statements at the top ofworkbench.te
. Select the configuration appropriate for your distribution’s base policy.
The provided configuration options can configure the policy module to be compatible with the Red Hat Enterprise Linux policy and the SELinux Reference Policy. Customized base policies may require further modification to the policy source code.
- Build the policy module using the Makefile provided by your base policy. On most Linux distributions, this is typically done with:
make -f /usr/share/selinux/devel/Makefile
- Install the policy module using the
semodule
command:
semodule -i ./workbench.pp
- Optionally, generate
man
pages for the policy module:
sepolicy manpage -p /usr/share/man/man8 -d workbench_t workbench_worker_t workbench_server_t
If any errors occur when building or installing the module, then resolve them with changes to workbench.te
or workbench.if
. The necessary changes depend on your base policy. For more information, consult these guides: - Your Linux distribution’s SELinux documentation - Your SELinux base policy’s documentation - SELinux Reference Policy documentation - Quick start to write a custom SELinux policy - Writing a custom SELinux policy
Step 2. Set SELinux booleans
SELinux policies can be configured with boolean flags. The defaults are configured to provide minimum access. You can enable additional permissions by toggling these booleans.
The available boolean flags depend on your SELinux base policy. The man
pages installed with the policy module will document all of the booleans that affect the permissions granted to Workbench. See man 8 workbench_t
, man 8 workbench_worker_t
, and man 8 workbench_server_t
to discover which booleans are available for your installation.
SELinux booleans are system-wide and not specific to Workbench. Changing the value of a boolean could impact other services.
To display the current value of a boolean:
getsebool <boolean>
To enable a boolean:
setsebool -P <boolean> 1
To disable a boolean:
setsebool -P <boolean> 0
allow_kerberos
To enable the use of Kerberos for authentication, set the allow_kerberos
boolean to 1.
This boolean is not included when using the Red Hat base policy.
kerberos_enabled
To enable the use of Kerberos for authentication, set the allow_kerberos
boolean to 1.
This boolean is not included when using the Debian / Ubuntu base policy.
daemons_dontaudit_scheduling
To suppress audit logging for daemon scheduling requests, such as setsched
and sys_nice
, set the daemons_dontaudit_scheduling
boolean to 1.
This boolean is only available in the Red Hat Enterprise Linux 9 base policy, where it is set to 1 by default.
authlogin_nsswitch_use_ldap
To allow users to resolve passwd
entries directly from LDAP instead of using an SSSD server, set the authlogin_nsswitch_use_ldap
boolean to 1.
nscd_use_shm
If you are using nscd for DNS caching and want the cache to be shared across users, set the nscd_use_shm
boolean to 1.
use_nfs_home_dirs
If user home directories are mounted over NFS, set the use_nfs_home_dirs
boolean to 1.
use_samba_home_dirs
If user home directories are mounted over Samba (SMB/CIFS), set the use_samba_home_dirs
boolean to 1.
Step 3. Install Workbench
If you are setting up Workbench for the first time, then continue with the Install Workbench instructions.
If you are activating SELinux on an existing Workbench installation, then you can enable enforcing mode now.