Configuring SELinux Security Policies |
If the used distribution features (Security-Enhanced Linux), you may need to configure security policies to enable correct component operation (for example, operation of the scanning engine) after they are installed. 1. Universal Package Installation Issues If is enabled, installation from the installation file (.run) can fail because an attempt to create the drweb user, under which Dr.Web for Linux components operate, can be blocked. In case of failure, check the operation mode with the command. The command outputs one of the following: •Permissive—protection is active but a permissive strategy is used: actions that violate the security policy are not denied but information on the actions is logged. •Enforced—protection is active and restrictive strategy is used: actions that violate security policies are blocked and information on the actions is logged. •Disabled— is installed but not active. If is operating in Enforced mode, change it to Permissive. For that purpose, use the following command:
which temporarily (until the next reboot) enables Permissive mode for .
After the successful product installation, enable Enforced mode again before starting the product. For that, use the following command:
2. Operation Issues In some cases when is enabled, certain auxiliary Dr.Web for Linux components (for example, and used by Scanner and SpIDer Guard) cannot start. If so, object scanning and file system monitoring become unavailable. When an auxiliary module fails to start, the main Dr.Web for Linux window displays messages on 119 and 120 errors and information on these errors is also registered by (the log is usually located in the /var/log/ directory).
When the security system denies access, such an event is logged. In general, when the daemon is used on the system, the log of the audit is stored in the /var/log/audit/audit.log file. Otherwise, messages about blocked operations are saved to the general log file (/var/log/messages or /var/log/syslog). If auxiliary modules do not function because they are blocked by , compile special security policies for them.
Configuring SELinux Security Policies: 1.Create a new file with the policy source code (a .te file). This file defines restrictions related to the described policy module. The policy’s source code can be created in one of the following ways: 1)Using the utility, which is the simplest method. The utility generates permissive rules from messages on access denial in system log files. You can set to search messages automatically or specify a path to the log file manually. Note that you can use this method only if Dr.Web for Linux’s components have violated security policies and these events are registered in the audit log file. If not, wait for such an incident to occur or force-create permissive policies by using the utility (see below).
Example of using :
In the given example, the utility performs a search in the audit.log file to find access denial messages for module. The following two files are created: policy source file drweb-se.te and the drweb-se.pp policy module ready to install. If no security violation incidents are found in the system audit log, the utility returns an error message. In most cases, you do not need to modify the policy file created by the utility. Thus, it is recommended to go to step 4 for installation of the drweb-se.pp policy module. Note that the utility outputs invocation of the command. By copying the output to the command line and executing it, you complete step 4. Go to step 2 only if you want to modify security policies which were automatically generated for Dr.Web for Linux components. 2)Using the utility. For that purpose, specify name of the module operation with which you want to configure and the full path to the executable file.
Example of policy creation using : •For :
•For :
You will be prompted to specify several common domain characteristics. After that, three files that determine the policy are created for each of the modules: <module_name>.te, <module_name>.fc and <module_name>.if. 2.If required, edit the generated policy source file <module_name>.te and then use the utility to create a binary representation (a .mod file) of this source file of the local policy.
Example usage
3.Create a policy module for installation (a .pp file) with the help of the utility. Example:
4.To install the created policy module, use the utility. Example:
For details on operation and configuration, refer to documentation for the used distribution. |