Configuring SeLinux Security Policies |
If the used Linux distribution features SELinux security subsystem (Security-Enhanced Linux), you need to configure security policies used by SELinux in order to enable correct operation of anti-virus components (Dr.Web Daemon and Dr.Web Console Scanner) after the installation. Moreover, if SELinux is enabled, product installation from distribution packages (.run)can fail because an attempt to create drweb user, whose privileges are used by Dr.Web for Novell Storage Services, will be blocked. Thus, before installing the product, check SELinux operation mode with the use of getenforce command. This command outputs the current operation mode which can be one of the following: •Permissive – protection is active, but permissions are supported: actions that violate the security are not denied but logged. •Enforced – protection is active and restrictions are enforced: actions that violate the security are logged and blocked. •Disabled – SELinux is installed but not active. If SELinux is operating in the Enforced mode, temporarily (until the product is installed and security policies are configured) enable Permissive mode. To do this, enter the setenforce 0 command that temporarily (until the next restart) sets SELinux operation mode to Permissive. To enable the Enforced mode again, enter the setenforce 1 command. Note that regardless of the mode enabled with the setenforce command, after system restart SELinux will operate in the mode specified in the settings (normally, SELinux configuration file is located in the /etc/selinux directory). In general, if audit daemon is used, the log file resides in /var/log/audit/audit.log. Otherwise, notifications on forbidden actions are logged to the following log file: /var/log/messages. For correct operation of anti-virus components when SELinux is enabled, compile special security policies once the product installation completes. Please note that some Linux distributions may not have the below mentioned utilities installed by default. In this case you need to additionally install the required packages. To create required policies: 1.Create a new file with SELinux policy source code (.te file). The file defines restrictions applied to the described module. The source file can be created in one of the two ways: 1) With the use of audit2allow utility. This way is more simple. The utility generates permissive rules based on the messages on denial of access to system log files. You can set automatic search of messages in log files or set path to the log file manually.
Example usage: # audit2allow -M drweb -i /var/log/audit/audit.log OR # cat /var/log/audit/audit.log | audit2allow -M drweb In this example, audit2allow utility searches for access denied messages in the audit.log file. # audit2allow -a -M drweb In this example, audit2allow searches for access denied messages in log files automatically. In both cases two files are created as a result of the utility operation: drweb.te policy source file and drweb.pp policy module which is ready for installation. In most cases you do not need to adjust policies created by the utility. So, it is recommended to go to step 4 for installation of the drweb.pp policy module. Note that audit2allow utility outputs semodule command invocation string. Copy the string to the command line and execute. That way, you will do instructions of step 4. Go to step 2 only if you want to adjust the policies which are automatically formed for Dr.Web for Novell Storage Services components. 2) With the use of policygentool utility. As a parameter, specify the name of the module which operation you want to configure and the path to its executable file.
Example of creating policies with policygentool: oFor Dr.Web Console Scanner: # policygentool drweb-scanner /opt/drweb/drweb.real oFor Dr.Web Daemon: # policygentool drweb-daemon /opt/drweb/drwebd.real You will be prompted to get information on some domain features and then for each of the modules, 3 files will be created which determine the policy: [module_name].te, [module_name].fc и [module_name].if. 2. If necessary, edit generated source file of the [module_name].te policy and then use the checkmodule utility to create a binary representation (.mod) of the policy source file.
Usage example: # checkmodule -M -m -o drweb.mod drweb.te 3. Create a policy module (drweb.pp) with the use of semodule_package utility. Example: # semodule_package -o drweb.pp -m drweb.mod 4. To install a new policy module into the module store, use the semodule utility. Example: # semodule -i drweb.pp After system restart, SELinux security subsystem will be configured to enable correct operation of Dr.Web for Novell Storage Services. For details on how to configure SELinux and on its operation features, refer to documentation for the used Linux distribution. |