SELinux Configuration

Workbench | Preview

Preview feature

This feature is in preview. Preview features are unsupported and may face breaking changes in a future release. Any issues found in the feature will be addressed during the regular release schedule; they will not result in immediate patches or hotfixes.

We encourage customers to try these features and we welcome any feedback via Posit Support, but we recommend that the feature not be used in production until it is in general availability (i.e., officially released as a full feature). To provide feedback, please email your Posit Customer Success representative or sales@posit.co and specify that you are trialing this feature.

To support SELinux enforcing mode with Posit Workbench, you must install an SELinux policy module. This policy module defines the set of permissions that the software requires to function.

If you are installing Workbench for the first time, then install the policy module before installing any other Workbench packages to avoid errors when starting rstudio-server, starting rstudio-launcher, or starting a session. If you have an existing installation of Workbench and want to use SELinux, install the policy module before enabling SELinux enforcing mode.

The following procedure assumes that you already have SELinux configured and working on your server.

Step 1: Install the SELinux policy module

Depending on your base policy, there are two ways to install the policy module:

• If you are using the default SELinux base policy on Red Hat, Debian, or Ubuntu, then you can install the rstudio-workbench-selinux package. Continue with the Download and install section below.
• If you are using a customized base policy, then you might need to compile the policy module from source. Skip to Building from source below for instructions.

Download and install

RHEL

These policy modules are compatible with the base policy provided by the selinux-policy-targeted package.

RHEL 9

$ curl -O https://download2.rstudio.org/server/rhel9/noarch/rstudio-workbench-selinux-rhel9-2025.05.0-noarch.rpm
$ sudo yum install rstudio-workbench-selinux-rhel9-2025.05.0-noarch.rpm

RHEL 8

$ curl -O https://download2.rstudio.org/server/rhel8/noarch/rstudio-workbench-selinux-rhel8-2025.05.0-noarch.rpm
$ sudo yum install rstudio-workbench-selinux-rhel8-2025.05.0-noarch.rpm

Ubuntu

These policy modules are compatible with the base policy provided by the selinux-policy-default package.

Ubuntu 24 / 22 | Debian 12

$ sudo apt-get install gdebi-core
$ curl -O https://download2.rstudio.org/server/jammy/all/rstudio-workbench-selinux-jammy-2025.05.0-all.deb
$ sudo gdebi rstudio-workbench-selinux-jammy-2025.05.0-all.deb

Ubuntu 20

$ sudo apt-get install gdebi-core
$ curl -O https://download2.rstudio.org/server/focal/all/rstudio-workbench-selinux-focal-2025.05.0-all.deb
$ sudo gdebi rstudio-workbench-selinux-focal-2025.05.0-all.deb

SUSE 15 SP5 / openSUSE 15.5

SUSE Enterprise Linux and openSUSE support SELinux. However, SUSE doesn’t provide a base SELinux policy. According to the documentation:

A policy is not included, and you must build your own. Third-party policies are not supported.

For more information on SUSE’s SELinux support, see the SUSE Enterprise Linux - Configuring SELinux or OpenSUSE - Configuring SELinux documentation.

You will need to build the policy module from source to use Workbench in enforcing mode.

Building from source

If you are using Workbench with an SELinux base policy other than the default policy shipped by one of the supported Linux distributions, or if attempting to load the packaged policy module results in errors, then you must build a policy module from source.

The following procedures assume that you have SELinux already configured. Consult the documentation for your Linux distribution for more information about building an SELinux policy module.

1. Install the SELinux development tools for your distribution:

   • On Red Hat or SUSE, install: selinux-policy-devel
   • On Debian or Ubuntu, install: selinux-policy-dev

2. Download and unpack the sample policy source code.

3. Review the comments and define statements at the top of workbench.te. Select the configuration appropriate for your distribution’s base policy.

Note

The provided configuration options can configure the policy module to be compatible with the Red Hat Enterprise Linux policy and the SELinux Reference Policy. Customized base policies may require further modification to the policy source code.

4. Build the policy module using the Makefile provided by your base policy. On most Linux distributions, this is typically done with:

make -f /usr/share/selinux/devel/Makefile

5. Install the policy module using the semodule command:

semodule -i ./workbench.pp

6. Optionally, generate man pages for the policy module:

sepolicy manpage -p /usr/share/man/man8 -d workbench_t workbench_worker_t workbench_server_t

If any errors occur when building or installing the module, then resolve them with changes to workbench.te or workbench.if. The necessary changes depend on your base policy. For more information, consult these guides: - Your Linux distribution’s SELinux documentation - Your SELinux base policy’s documentation - SELinux Reference Policy documentation - Quick start to write a custom SELinux policy - Writing a custom SELinux policy

Step 2. Set SELinux booleans

SELinux policies can be configured with boolean flags. The defaults are configured to provide minimum access. You can enable additional permissions by toggling these booleans.

The available boolean flags depend on your SELinux base policy. The man pages installed with the policy module will document all of the booleans that affect the permissions granted to Workbench. See man 8 workbench_t, man 8 workbench_worker_t, and man 8 workbench_server_t to discover which booleans are available for your installation.

Note

SELinux booleans are system-wide and not specific to Workbench. Changing the value of a boolean could impact other services.

To display the current value of a boolean:

getsebool <boolean>

To enable a boolean:

setsebool -P <boolean> 1

To disable a boolean:

setsebool -P <boolean> 0

allow_kerberos

To enable the use of Kerberos for authentication, set the allow_kerberos boolean to 1.

This boolean is not included when using the Red Hat base policy.

kerberos_enabled

To enable the use of Kerberos for authentication, set the allow_kerberos boolean to 1.

This boolean is not included when using the Debian / Ubuntu base policy.

daemons_dontaudit_scheduling

To suppress audit logging for daemon scheduling requests, such as setsched and sys_nice, set the daemons_dontaudit_scheduling boolean to 1.

This boolean is only available in the Red Hat Enterprise Linux 9 base policy, where it is set to 1 by default.

authlogin_nsswitch_use_ldap

To allow users to resolve passwd entries directly from LDAP instead of using an SSSD server, set the authlogin_nsswitch_use_ldap boolean to 1.

nscd_use_shm

If you are using nscd for DNS caching and want the cache to be shared across users, set the nscd_use_shm boolean to 1.

use_nfs_home_dirs

If user home directories are mounted over NFS, set the use_nfs_home_dirs boolean to 1.

use_samba_home_dirs

If user home directories are mounted over Samba (SMB/CIFS), set the use_samba_home_dirs boolean to 1.

Step 3. Install Workbench

If you are setting up Workbench for the first time, then continue with the Install Workbench instructions.

If you are activating SELinux on an existing Workbench installation, then you can enable enforcing mode now.