3.4 OS protected by SELinux

If your operating system is protected by SELinux subsystem, in attempt of scanning start  (and also, probably, in attempt of automatic start of Scanner Daemon) you can receive message about start error. Example of message arising in attempt of scanning start on the Dr.Web Anti-Virus for Linux Control Desk:

SELinux

Figure 2. Scanner Daemon error

To set up successful operation of Dr.Web Console Scanner, Dr.Web Daemon and Dr.Web SpIDer Guard components in OS protected by SELinux, you must compile politics for operation with corresponding drweb-scanner, drweb-daemon and drweb-spider modules  or set 1 as a value of allow_execheap variable.

 

warning

Please note, that templates used in compilation of modules for politics may vary widely, depending on the type of Linux distribution, its version, set of SELinux politics and user settings.

To receive more detailed information on compilation of  politics you may refer to corresponding documentation on your Linux distribution.

All SELinux security policies management commands must be executed with the rights of the superuser (use sudo or su).

 

To create necessary politics :

1.Create new SELinux policy source file (.te file). This file define the access rules related to described module. You can create necessary politics:
Using policygentool utility.
To do this, specify two parameters: the name of the  policy module (interaction with which has to be adjusted) and the full path to the corresponding executable.

 

warning

Please note that policygentool utility which included in selinux-policy package in Red Hat Enterprise Linux and CentOS Linux, may not work correctly. In this case, use utility audit2allow.

 

Example:

for Dr.Web Console Scanner:

# policygentool drweb-scanner /opt/drweb/drweb.real

for Dr.Web Daemon:

# policygentool drweb-daemon /opt/drweb/drwebd.real

for Dr.Web SpIDer Guard:

# policygentool drweb-spider /opt/drweb/drweb-spider.real

You will be prompted to enter a few common domain characteristics, and for each module three files will be created:

o<module_name>.te
o<module_name>.fc
o<module_name>.if
Using audit2allow utility.
This utility generates policy modules based on reports of denial of access from system log files. Reports can be searched automatically in system log files or you can set the path to log file manually.

 

warning

In general, when using the audit daemon, audit log located in /var/log/audit/audit.log file. Otherwise, AVC messages are stored in /var/log/messages log file.

Utility audit2allow  is included in package policycoreutils-python (for RedHat Enterprise Linux, CentOS, Fedora) or in package python-sepolgen (for Debian, Ubuntu).

 

Example:

# audit2allow -M -i /var/log/audit/audit.log drweb

In this example, audit2allow search AVC messages in audit.log file.

Example:

# audit2allow -a -M drweb

In this example, audit2allow search AVC messages in system log files automatically.

In both cases, audit2allow creates two files: SELinux source file of policy (drweb.te) and compiled policy module drweb.pp. If you want to make changes to the access rules of Dr.Web Anti-Virus for Linux components, then edit drweb.te and go to step 2. If you don't want to change policy file, go to step 4 to install drweb.pp policy module.

2.Using checkmodule utility, create a binary representation (.mod file) of the policy source file.

 

warning

Please note that for successful policy compilation a checkpolicy package must be installed on the system

 

Example:

# checkmodule -M -m -o drweb.mod drweb.te

3.Create policy module (drweb.pp) by using semodule_package utility.

Example:

# semodule_package -o drweb.pp -m drweb.mod

4.To install the new policy module into the module store, use the semodule utility.

Example:

# semodule -i drweb.pp

It is also possible (but not recommended) to set 1 as a value of allow_execheap OS environment variable to set up operation of Dr.Web Console Scanner, Dr.Web Daemon and Dr.Web SpIDer Guard in SELinux. Environment variable allow_execheap allow or deny execution of data in memory heap for all applications that runs in unconfined domain. To set value of allow_execheap variable, execute the following command:

# setsebool -P allow_execheap=1