3.4 OS protected by SELinux |
If your operating system is protected by SELinux subsystem, in attempt of scanning start (and also, probably, in attempt of automatic start of Scanner Daemon) you can receive message about start error. Example of message arising in attempt of scanning start on the Dr.Web Anti-Virus for Linux Control Desk: Figure 2. Scanner Daemon error To set up successful operation of Dr.Web Console Scanner, Dr.Web Daemon and Dr.Web SpIDer Guard components in OS protected by SELinux, you must compile politics for operation with corresponding drweb-scanner, drweb-daemon and drweb-spider modules or set 1 as a value of allow_execheap variable.
To create necessary politics :
Example:
# policygentool drweb-scanner /opt/drweb/drweb.real
# policygentool drweb-daemon /opt/drweb/drwebd.real
# policygentool drweb-spider /opt/drweb/drweb-spider.real You will be prompted to enter a few common domain characteristics, and for each module three files will be created:
Example: # audit2allow -M -i /var/log/audit/audit.log drweb In this example, audit2allow search AVC messages in audit.log file. Example: # audit2allow -a -M drweb In this example, audit2allow search AVC messages in system log files automatically. In both cases, audit2allow creates two files: SELinux source file of policy (drweb.te) and compiled policy module drweb.pp. If you want to make changes to the access rules of Dr.Web Anti-Virus for Linux components, then edit drweb.te and go to step 2. If you don't want to change policy file, go to step 4 to install drweb.pp policy module.
Example: # checkmodule -M -m -o drweb.mod drweb.te
Example: # semodule_package -o drweb.pp -m drweb.mod
Example: # semodule -i drweb.pp It is also possible (but not recommended) to set 1 as a value of allow_execheap OS environment variable to set up operation of Dr.Web Console Scanner, Dr.Web Daemon and Dr.Web SpIDer Guard in SELinux. Environment variable allow_execheap allow or deny execution of data in memory heap for all applications that runs in unconfined domain. To set value of allow_execheap variable, execute the following command: # setsebool -P allow_execheap=1 |