Adjusting SELinux Policies

If the used Linux distribution features SELinux (Security-Enhanced Linux), you may need to configure SELinux security policies to enable correct component operation (for example, operation of the scanning engine) after they are installed.

1. Universal package installation issues

If SELinux is enabled, installation from the installation file (.run) can fail because an attempt to create the drweb user, under which Dr.Web for Linux components operate, can be blocked.

In case of failure, check the SELinux operation mode with the getenforce command. The command outputs one of the following:

Permissive – protection is active but a permissive strategy is used: actions that violate the security policy are not denied but information on the actions is logged.

Enforced – protection is active and restrictive strategy is used: actions that violate security policies are blocked and information on the actions is logged.

DisabledSELinux is installed but not active.

If SELinux is operating in Enforced mode, change it to Permissive for the period while the product is being installed. For that purpose, use the setenforce 0 command, which temporarily (until the next reboot) enables Permissive mode for SELinux.

Note that regardless of the operation mode enabled with the setenforce command, restart of the operating system returns SELinux operation to the mode specified in the SELinux settings (file with SELinux settings usually resides in the /etc/selinux directory).

After the product installation successfully completes, enable Enforced mode for SELinux again before starting the product. For that, use the setenforce 1 command.

2. Operation issues

In some cases when SELinux is enabled, certain auxiliary Dr.Web for Linux components (for example, drweb-se and drweb-filecheck used by Scanner) cannot start. If so, object scanning and file system monitoring become unavailable. When an auxiliary module fails to start, the main Dr.Web for Linux window displays messages on 119 and 120 errors and information on these errors is also registered by syslog (the log is usually located in the /var/log/ directory).

Messages on 119 and 120 errors can also indicate an attempt to start Dr.Web for Linux on 64-bit version of the operating system if the 32-bit application support library is missing (see System Requirements).

SELinux messages are registered in the system log. In general, when audit daemon is used on the system, the audit log file is /var/log/audit/audit.log. Otherwise, messages on blocked operations are saved to the general log file located in /var/log/messages.

Note that certain Linux distributions do not feature the utilities mentioned below. If so, you may need to install additional packages with the utilities.

To create required policies

1.Create a new file with the SELinux policy source code (.te file). This file defines restrictions applied to the module. The policy source code can be specified in one of the following ways:

1)Using the audit2allow utility, which is the simplest method. The utility generates permissive rules from messages on access denial in system log files. You can set to search messages automatically or specify a path to the log file manually.

Note that you can use this method only if Dr.Web for Linux violated SELinux security policies and these events are registered in the audit log file. If not, wait for such an incident to occur or force-create permissive policies by using the policygentool utility (see below).

The audit2allow utility resides in the policycoreutils-python or policycoreutils-devel package (for RedHat Enterprise Linux, CentOS, Fedora operating systems depending on the version) or in the python-sepolgen package (for Debian, Ubuntu OSes).

Please note that for Fedora version 20 it is required to install additionally the checkpolicy package, otherwise the audit2allow utility returns an error.

Example usage:

# grep drweb-se.real /var/log/audit/audit.log | audit2allow -M drweb-se

In the given example, the audit2allow utility performs a search in the audit.log file to find access denial messages for drweb-se module.

The following two files are created: policy source file drweb-se.te and the drweb-se.pp policy module ready to install.

If no security violation incidents are found in the system audit log, the utility returns an error message.

In most cases, you do not need to modify the policy file created by the utility. Thus, it is recommended to go to step 4 for installation of the drweb-se.pp policy module. Note that the audit2allow utility outputs invocation of the semodule command. By copying the output to the command line and executing it, you complete step 4. Go to step 2 only if you want to modify security policies which were automatically generated for Dr.Web for Linux components.

2)Using the policygentool utility. For that purpose, specify name of the module operation with which you want to configure and the full path to the executable file.

Note that the policygentool utility, included in the selinux-policy package for RedHat Enterprise Linux and CentOS Linux OS, may not function correctly. If so, use the audit2allow utility.

Example of policy creation via policygentool:

ofor drweb-se (used by the anti-virus engine):

# policygentool drweb-se /opt/

ofor drweb-filecheck (used by Scanner):

# policygentool drweb-filecheck /opt/

You will be prompted to specify several common domain characteristics. After that, three files that determine the policy are created for each of the modules:

<module_name>.te, <module_name>.fc and <module_name>.if.

2.If required, edit the generated policy source file <module_name>.te and then use the checkmodule utility to create a binary mapping of the local policy source file (.mod file).

Note that to ensure success of the command, the checkpolicy package must be installed in the system.

Example usage

# checkmodule -M -m -o drweb-se.mod drweb-se.te

3.Create an installed policy module (.pp file) with the use of the semodule_package utility.


# semodule_package -o drweb-se.pp -m drweb-se.mod

4.To install the created policy module, use the semodule utility.


# semodule -i drweb-se.pp

For details on SELinux operation and configuration, refer to documentation for the used Linux distribution.