Configuring Security Subsystems

Presence of the SELinux enhanced security subsystem in the OS as well as the use of mandatory access control systems, such as PARSEC—as opposed to the classical discretionary model used by UNIX—causes problems in the work of Dr.Web for Linux when its default settings are used. To ensure correct operation of Dr.Web for Linux in this case, it is necessary to make additional changes to the settings of the security subsystem and/or to the settings of Dr.Web for Linux.

This section discusses the following settings that ensure correct operation of Dr.Web for Linux:

Configuring SELinux Security Policies.

Configuring the permissions of the PARSEC mandatory access control system (the Astra Linux SE OS).

Configuring the launch in the CSE (Closed Software Environment) mode (OS Astra Linux SE 1.6 and 1.7).

Configuring the permissions of the PARSEC mandatory access control system for Dr.Web for Linux will allow the components of Dr.Web for Linux to bypass the restrictions of the set security policies and to get access to the files that belong to different privilege levels.

Note that even if you have not configured the permissions of the PARSEC mandatory access control system for Dr.Web for Linux components, you still will be able to launch file scanning by the Graphical management interface of Dr.Web for Linux in the autonomous copy mode. For that, execute the drweb-gui command with the parameter --Autonomous. You can also launch the scanning directly from the command line. To do this, use the drweb-ctl command specifying the same parameter (--Autonomous) in the command call. In this case, it will be possible to scan files that require a privileges level not higher than the level that the user that launched the scanning session. This mode has the following features:

To run it as an autonomous copy, you will need a valid key file, working in Centralized protection mode is not supported (an option to install the key file, exported from the centralized protection server, is available). In this case, even if Dr.Web for Linux is connected to the centralized protection server, the autonomous copy does not notify the centralized protection server of the threats detected in the autonomous copy mode.

All additional components that are run to serve the work of the autonomous copy will be launched as the current user and will work with a configuration file, separately generated for this session.

All temporary files and UNIX sockets are created only in the directory with an unique name, which is created when the autonomous copy is launched. The unique temporary directory is created in the system directory for temporary files (path to this directory is available in the TMPDIR environment variable).

The autonomous copy of the graphical management interface does not launch SpIDer Guard and SpIDer Gate monitors, only file scanning and quarantine management functions, supported by Scanner, are available.

All the required paths (to virus databases, scan engine and executable files of the service components) are defined by default or retrieved from the special environment variables.

The number of the autonomous copies working simultaneously is not limited.

When the autonomous copy is shut down, the set of servicing components is also terminated.