Configuring Security Subsystems

 Top  Previous  Next

Presence of the SELinux enhanced security subsystem in the OS (as well as the use of mandatory access control systems, such as PARSEC (as opposed to the classical discretionary model used by UNIX) causes problems in the work of Dr.Web for UNIX Mail Servers when its default settings are used. To ensure correct operation of Dr.Web for UNIX Mail Servers in this case, it is necessary to make additional changes to the settings of the security subsystem and/or to the settings of Dr.Web for UNIX Mail Servers.

This section discusses the settings that ensure correct operation of Dr.Web for UNIX Mail Servers in the following cases:

Configuring SELinux Security Policies.

Setting up the permissions of the PARSEC mandatory access control system (the Astra Linux OS)

Configuring the permissions of the PARSEC mandatory access control system for Dr.Web for UNIX Mail Servers will allow the components of Dr.Web for UNIX Mail Servers to bypass the restrictions of the set security policies and to get access to the files that belong to different privilege levels.

Note that even if you have not configured the permissions of the PARSEC mandatory access control system for Dr.Web for UNIX Mail Servers, you still will be able to launch file scanning directly from the command line. To do this, use the drweb-ctlcommand in the autonomous mode, by specifying the --Autonomous option in the command call. When scanning is launched this way, it is possible to scan only those files that can be accessed with the privileges not exceeding those of the user who launched the scanning. This mode has several features:

To launch the autonomous copy you need the valid key file, the work with central protection server is not supported (it is possible to install the key file, exported from central protection server). Herewith, even if Dr.Web for UNIX Mail Servers is connected to central protection server, the autonomous copy do net send to it any notifications on threats, detected during the work in autonomous mode.

All additional components that support the functioning of the autonomous copy, will be launched under the current user and will work with specially generated configuration file.

All the used temporary files and UNIX sockets are created only in the directory with an unique name, which is created when the autonomous copy is launched. The unique temporary directory is created in the system directory for temporary files (path to this directory is available in the TMPDIR environment variable).

All the required paths to virus databases, anti-virus engine and executable files used during scanning are defined by default or retrieved from the special environment variables.

The number of the autonomous copies working simultaneously is not limited.

When the autonomous copy is terminated, the set of supporting components also terminates.