Dr.Web Anti-virus for Linux
                           (Desktop Security Suite)

                               v. 6.0.2

               Installation notes for operating systems containing
                           SELinux security subsystem            

 =============================================================================
  This document is a property of Doctor Web.  No part of this document may be
  reproduced,  published or transmitted in any form  or by any means  for any
  other purpose than the purchaser's personal use without proper attribution.

  Dr.Web is the registered trademark of Doctor Web, Ltd.
  Linux  is the registered trademark of Linus Torvalds in the  U.S. and other
  countries.

  Other  trademarks,  registered  trademarks  and company names used in  this
  document are property of their respective owners.

  There  might be  improvements and changes  in the software not described in
  this manual.  The corrected  and supplemented  versions of  this manual are
  available at the official website of Doctor Web at http://www.drweb.com/.
 =============================================================================

 (C) Doctor Web, Ltd., 1992-2013
 Russian Federation, Moscow - Saint-Petersburg
 http://www.drweb.com/


If the used  Linux distribution  features SELinux security subsystem  (Security-
Enhanced Linux),  you need to configure  security policies  used  by  SELinux in
order  to  enable  correct operation  of  anti-virus components  (Dr.Web Daemon,
Dr.Web Console Scanner  and  Dr.Web SpIDer Guard)  after the installation.

Note that if after installation of Dr.Web Anti-virus for Linux, SELinux security
policies  are not configured,  user  authentication  (including  superuser  root
authentication) and remote access to the system via SSH may be blocked.

Moreover, if SELinux is enabled, product installation from distribution packages
(.run) can fail  because an attempt  to create drweb user,  whose privileges are
used by Dr.Web Anti-virus for Linux, will be blocked.

Thus,  before installing the product,  check SELinux operation mode with the use
of getenforce command. This command outputs the current operation mode which can
be one of the following:
 * Permissive - protection  is active,  but permissions  are supported:  actions
                that violate the security are not denied but logged.
 * Enforced   - protection is active and restrictions are enforced: actions that
                violate the security are logged and blocked.
 * Disabled   - SELinux is installed but not active.

If SELinux is operating in the Enforced mode,  temporarily (until the product is
installed  and  security policies are configured) enable Permissive mode.  To do
this, enter the  setenforce 0  command that temporarily (until the next restart)
sets SELinux operation mode to Permissive.  To enable the  Enforced mode  again,
enter the setenforce 1 command.
Note that  regardless of the mode  enabled with the  setenforce  command,  after
system  restart  SELinux  will operate  in the mode  specified  in  the settings
(normally, SELinux configuration file is located in the /etc/selinux directory).

In general, if audit daemon is used, the log resides in /var/log/audit/audit.log
file.  Otherwise, notifications on forbidden actions are logged to the following
log file: /var/log/messages.

For correct operation of anti-virus components when SELinux is enabled,  compile
special security policies once the product installation completes.

Please note  that  some  Linux distributions  may not have  the below  mentioned
utilities  installed by default.  In this case you need  to additionally install
the required utility packages.

To create required policies:

1. Create  a new file  with  SELinux policies  source code (.te file).  The file
   defines restrictions applied to the described module.  The source file can be
   created in one of the two ways:

    1) With the use of audit2allow utility. This way is more simple. The utility
       generates permissive rules  based on the messages  on denial of access to
       system log files.  You can set automatic search  of messages in log files
       or set path to the log file manually.

       audit2allow  utility  resides  in the policycoreutils-python package,  or
       policycoreutils-devel package (for RedHat Enterprise Linux, CentOS Linux,
       Fedora Linux, depending on the version),  or python-sepolgen package (for
       Debian, Ubuntu Linux).
       
       Example usage:

        # audit2allow -M drweb -i /var/log/audit/audit.log
       OR
        # cat /var/log/audit/audit.log | audit2allow -M drweb

       In this example,  audit2allow utility searches for access denied messages
       in the audit.log file.

        # audit2allow -a -M drweb

       In this example,  audit2allow  searches for access denied messages in log
       files automatically.

       In both cases two files are created as a result of the utility operation:
       drweb.te policy source file and drweb.pp policy module which is ready for
       installation.
       In most cases you do not need to adjust policies created by the utility.
       So,  it is recommended  to go to step 4  for installation of the drweb.pp
       policy module.  Note that  audit2allow utility  outputs  semodule command
       invocation string.  Copy the string to the command line and execute. That
       way, you will do instructions of step 4. Go to step 2 only if you want to
       adjust the policies which are automatically formed for  Dr.Web Anti-virus
       components.

    2) With the use of policygentool utility.  As a parameter,  specify the name
       of the module  which operation you want  to configure and the path to its
       executable file.

       Note that  policygentool utility  included in  selinux-policy package for
       RedHat Enterprise Linux and CentOS Linux might not function correctly. In
       this case, use audit2allow utility.

       Example of creating policies with policygentool:

        - For Dr.Web Console Scanner:
           # policygentool drweb-scanner /opt/drweb/drweb.real

        - For Dr.Web Daemon:
           # policygentool drweb-daemon /opt/drweb/drwebd.real

       You will be prompted  to get information on some domain features and then
       for each of the modules,  three files will be created which determine the
       policy: [module_name].te, [module_name].fc and [module_name].if.

2. If necessary,  edit generated source file [module_name].te  of the policy and
   then use the checkmodule utility  to create a binary representation (.mod) of
   the policy source file.
   Please note  that for successful  policy compilation,  a  checkpolicy package
   must be installed in the system.

   Usage example:

    # checkmodule -M -m -o drweb.mod drweb.te

3. Create a policy module (drweb.pp) with the use of semodule_package utility.

   Example:

    # semodule_package -o drweb.pp -m drweb.mod

4. To install  a new policy module into the policy modules store,  use  semodule
   utility.

   Example:

    # semodule -i drweb.pp

5. During its operation,  Dr.Web SpIDer Guard  uses  libdw_notify.so library. In
   order to avoid errors in library operation, SELinux must assign correct label
   to the library file. For this purpose, reindex the file system with automatic
   reassigning of file labels.
   To instruct  SELinux  to reindex the files,  create .autorelabel  file in the
   root directory and restart the operating system, for example, with the use of
   the following commands:
    # touch /.autorelabel
    # reboot    

After system restart,  SELinux security subsystem  will be configured  to enable
correct operation of Dr.Web Anti-virus for Linux.


For details on how to configure SELinux and on its operation features,  refer to
documentation for the used Linux distribution.