Presence of the SELinux enhanced security subsystem in the OS as well as the use of mandatory access control systems, such as PARSEC—as opposed to the classical discretionary model used by UNIX—causes issues in the operation of Dr.Web for Linux when its default settings are used. To ensure correct operation of Dr.Web for Linux in this case, it is necessary to make additional changes to the settings of the security subsystem and/or to the settings of Dr.Web for Linux.
This section covers the following settings that enable the correct operation of Dr.Web for Linux:
•Configuring SELinux Security Policies.
•Configuring the permissions of the PARSEC mandatory access control system (the Astra Linux SE OS).
•For ALT 8 SP and other distributions using pam_namespace.
•Configuring the launch in the CSE (Closed Software Environment) mode (Astra Linux SE 1.6 and 1.7).
|
Configuring the permissions of the PARSEC mandatory access control system for Dr.Web for Linux allows the anti-virus components to bypass the restrictions of set security policies and get access to files of different privilege levels. |
Note that even if you have not configured the permissions of the PARSEC mandatory access control system for Dr.Web for Linux components, you still will be able to start file scanning via the Graphical management interface of Dr.Web for Linux in the autonomous instance mode. For that, run the drweb-gui command with the --Autonomous parameter. You can also launch the scanning directly from the command line. To do this, run the drweb-ctl command with the same parameter (--Autonomous). In this case, it will be possible to scan files that require a level of privileges not higher than the level of the user who started the scanning session. This mode has the following aspects:
•To run it as an autonomous instance, you will need a valid key file, operating in a centralized protection mode is not supported (it is possible to install the key file exported from a centralized protection server). In this case, even if Dr.Web for Linux is connected to the centralized protection server, the autonomous instance does not notify the centralized protection server of the threats detected in the autonomous instance mode.
•All supplementary components that maintain the operation of the autonomous instance will be started as the current user and will operate with a custom configuration file.
•All temporary files and UNIX sockets used for interaction of components are created only in a directory with an unique name. This directory is created by the started autonomous instance in the directory for temporary files (specified by the TMPDIR environment variable).
•The autonomous instance of the graphical management interface does not start the SpIDer Guard and SpIDer Gate monitors, only file scanning and quarantine management functions supported by Scanner are available.
•All the required paths (to virus databases, scanning engine and executable files of service components) are set to default values or retrieved from custom environment variables.
•The number of the autonomous instances working simultaneously is not limited.
•When the autonomous instance is shut down, the set of components maintaining it is also terminated.