Configuring SELinux Security Policies

If your GNU/Linux distribution features the SELinux (Security-Enhanced Linux) security subsystem, you may need to adjust SELinux security policies to enable correct operation of Dr.Web for Linux service components (for example, of the scanning engine) after their installation.

If SELinux is enabled, the installation of the Dr.Web for Linux universal package from the installation file (.run) can fail because an attempt to create the drweb special user, as which Dr.Web for Linux components run, will be blocked.

If installation of Dr.Web for Linux from the installation file (.run) fails due to inability to create the drweb user, check the SELinux operation mode with the getenforce command. The command outputs the current protection mode:

•Permissive—protection is active but a permissive strategy is used: actions that violate the security policy are only registered in an audit log but not blocked;

•Enforced—protection is active and a restrictive strategy is used: actions that violate security policies are blocked and registered in the audit log;

If SELinux is operating in the Enforced mode, temporarily (during the installation of Dr.Web for Linux) change its mode to Permissive. For that purpose, use the following command:

which temporarily (until the next restart) enables the Permissive mode of SELinux.

Regardless of the operation mode enabled with the setenforce command, after the restart of the operating system, SELinux returns to the safe operation mode specified in its settings (the file with SELinux settings is usually stored in the /etc/selinux directory).

After Dr.Web for Linux is successfully installed from the installation file, enable the Enforced mode again before starting and activating the product. For that purpose, use the following command:

In some cases when SELinux is enabled, certain auxiliary Dr.Web for Linux components (for example, drweb-se and drweb-filecheck used by Scanner and SpIDer Guard) cannot start. If so, object scanning and file system monitoring become unavailable. When these auxiliary modules fail to start, messages about 119 and 120 errors are displayed on the main Dr.Web for Linux window and logged by syslog (the log is usually stored in the /var/log/ directory).

When the SELinux security system blocks access, such an event is also output to an audit system log. In general, when the audit daemon is used in the system, the audit log is stored in the /var/log/audit/audit.log file. Otherwise, messages about blocked operations are written to the general log file (/var/log/messages or /var/log/syslog).

If auxiliary modules do not function because they are blocked by SELinux, compile custom security policies for them.

Certain GNU/Linux distributions do not feature the utilities mentioned below. If so, you may need to install additional packages containing them.

1.Create a new file with the SELinux policy source code (a .te file). This file defines restrictions related to the described module. The policy source code file can be created in one of the following ways:

1)Using the audit2allow utility, which is the simplest method. The utility generates permissive rules from messages on access denial in system log files. You can set to search messages automatically or specify a path to the log file manually.

You can use this method only if Dr.Web for Linux components have violated SELinux security policies and these events have been registered in the audit system log. If not, wait for such an incident triggered by Dr.Web for Linux to occur or force-create permissive policies by using the policygentool utility (see below).

The audit2allow utility is contained either in the policycoreutils-python package or in the policycoreutils-devel package (for Red Hat Enterprise Linux, CentOS, Fedora operating systems, depending on the version) or in the python-sepolgen package (for Debian and Ubuntu operating systems).

In this example, the audit2allow utility searches the audit.log file for access denial messages for the drweb-se module.

The utility creates two files: the drweb-se.te policy source file and the drweb-se.pp policy module ready to install.

If no corresponding incidents are found in the system audit log, the utility returns an error message.

In most cases, you do not need to modify the policy file created by the audit2allow utility; thus, it is recommended to go to step 4 for the installation of the drweb-se.pp policy module.

The audit2allow utility outputs the semodule command with all arguments. By copying it to the command line and running it, you complete step 4. Go to step 2 only if you want to modify the security policies that were automatically generated for Dr.Web for Linux components.

2)Using the policygentool utility. For that purpose, specify a name of the module, the operation with which you want to configure, and the full path to its executable file.

The policygentool utility included in the selinux-policy package for Red Hat Enterprise Linux and CentOS may not function correctly. If so, use the audit2allow utility.

You will be prompted to specify several common domain characteristics. After that, three files that determine the policy are created for each of the modules: <module_name>.te, <module_name>.fc and <module_name>.if.

2.If required, edit the generated policy source file <module_name>.te, then use the checkmodule utility to create a binary representation (a .mod file) of this source file of the local policy.

This command requires the checkpolicy package to be installed in the system.

3.Create a policy module for installation (a .pp file) with the help of the semodule_package utility.

For details on SELinux operating principles and configuration, refer to documentation for your GNU/Linux distribution.