173 lines
7.7 KiB
Plaintext
173 lines
7.7 KiB
Plaintext
|
|
Dr.Web Anti-virus for Linux
|
|
(Desktop Security Suite)
|
|
|
|
v. 6.0.2
|
|
|
|
Installation notes for operating systems containing
|
|
SELinux security subsystem
|
|
|
|
=============================================================================
|
|
This document is a property of Doctor Web. No part of this document may be
|
|
reproduced, published or transmitted in any form or by any means for any
|
|
other purpose than the purchaser's personal use without proper attribution.
|
|
|
|
Dr.Web is the registered trademark of Doctor Web, Ltd.
|
|
Linux is the registered trademark of Linus Torvalds in the U.S. and other
|
|
countries.
|
|
|
|
Other trademarks, registered trademarks and company names used in this
|
|
document are property of their respective owners.
|
|
|
|
There might be improvements and changes in the software not described in
|
|
this manual. The corrected and supplemented versions of this manual are
|
|
available at the official website of Doctor Web at http://www.drweb.com/.
|
|
=============================================================================
|
|
|
|
(C) Doctor Web, Ltd., 1992-2013
|
|
Russian Federation, Moscow - Saint-Petersburg
|
|
http://www.drweb.com/
|
|
|
|
|
|
If the used Linux distribution features SELinux security subsystem (Security-
|
|
Enhanced Linux), you need to configure security policies used by SELinux in
|
|
order to enable correct operation of anti-virus components (Dr.Web Daemon,
|
|
Dr.Web Console Scanner and Dr.Web SpIDer Guard) after the installation.
|
|
|
|
Note that if after installation of Dr.Web Anti-virus for Linux, SELinux security
|
|
policies are not configured, user authentication (including superuser root
|
|
authentication) and remote access to the system via SSH may be blocked.
|
|
|
|
Moreover, if SELinux is enabled, product installation from distribution packages
|
|
(.run) can fail because an attempt to create drweb user, whose privileges are
|
|
used by Dr.Web Anti-virus for Linux, will be blocked.
|
|
|
|
Thus, before installing the product, check SELinux operation mode with the use
|
|
of getenforce command. This command outputs the current operation mode which can
|
|
be one of the following:
|
|
* Permissive - protection is active, but permissions are supported: actions
|
|
that violate the security are not denied but logged.
|
|
* Enforced - protection is active and restrictions are enforced: actions that
|
|
violate the security are logged and blocked.
|
|
* Disabled - SELinux is installed but not active.
|
|
|
|
If SELinux is operating in the Enforced mode, temporarily (until the product is
|
|
installed and security policies are configured) enable Permissive mode. To do
|
|
this, enter the setenforce 0 command that temporarily (until the next restart)
|
|
sets SELinux operation mode to Permissive. To enable the Enforced mode again,
|
|
enter the setenforce 1 command.
|
|
Note that regardless of the mode enabled with the setenforce command, after
|
|
system restart SELinux will operate in the mode specified in the settings
|
|
(normally, SELinux configuration file is located in the /etc/selinux directory).
|
|
|
|
In general, if audit daemon is used, the log resides in /var/log/audit/audit.log
|
|
file. Otherwise, notifications on forbidden actions are logged to the following
|
|
log file: /var/log/messages.
|
|
|
|
For correct operation of anti-virus components when SELinux is enabled, compile
|
|
special security policies once the product installation completes.
|
|
|
|
Please note that some Linux distributions may not have the below mentioned
|
|
utilities installed by default. In this case you need to additionally install
|
|
the required utility packages.
|
|
|
|
To create required policies:
|
|
|
|
1. Create a new file with SELinux policies source code (.te file). The file
|
|
defines restrictions applied to the described module. The source file can be
|
|
created in one of the two ways:
|
|
|
|
1) With the use of audit2allow utility. This way is more simple. The utility
|
|
generates permissive rules based on the messages on denial of access to
|
|
system log files. You can set automatic search of messages in log files
|
|
or set path to the log file manually.
|
|
|
|
audit2allow utility resides in the policycoreutils-python package, or
|
|
policycoreutils-devel package (for RedHat Enterprise Linux, CentOS Linux,
|
|
Fedora Linux, depending on the version), or python-sepolgen package (for
|
|
Debian, Ubuntu Linux).
|
|
|
|
Example usage:
|
|
|
|
# audit2allow -M drweb -i /var/log/audit/audit.log
|
|
OR
|
|
# cat /var/log/audit/audit.log | audit2allow -M drweb
|
|
|
|
In this example, audit2allow utility searches for access denied messages
|
|
in the audit.log file.
|
|
|
|
# audit2allow -a -M drweb
|
|
|
|
In this example, audit2allow searches for access denied messages in log
|
|
files automatically.
|
|
|
|
In both cases two files are created as a result of the utility operation:
|
|
drweb.te policy source file and drweb.pp policy module which is ready for
|
|
installation.
|
|
In most cases you do not need to adjust policies created by the utility.
|
|
So, it is recommended to go to step 4 for installation of the drweb.pp
|
|
policy module. Note that audit2allow utility outputs semodule command
|
|
invocation string. Copy the string to the command line and execute. That
|
|
way, you will do instructions of step 4. Go to step 2 only if you want to
|
|
adjust the policies which are automatically formed for Dr.Web Anti-virus
|
|
components.
|
|
|
|
2) With the use of policygentool utility. As a parameter, specify the name
|
|
of the module which operation you want to configure and the path to its
|
|
executable file.
|
|
|
|
Note that policygentool utility included in selinux-policy package for
|
|
RedHat Enterprise Linux and CentOS Linux might not function correctly. In
|
|
this case, use audit2allow utility.
|
|
|
|
Example of creating policies with policygentool:
|
|
|
|
- For Dr.Web Console Scanner:
|
|
# policygentool drweb-scanner /opt/drweb/drweb.real
|
|
|
|
- For Dr.Web Daemon:
|
|
# policygentool drweb-daemon /opt/drweb/drwebd.real
|
|
|
|
You will be prompted to get information on some domain features and then
|
|
for each of the modules, three files will be created which determine the
|
|
policy: [module_name].te, [module_name].fc and [module_name].if.
|
|
|
|
2. If necessary, edit generated source file [module_name].te of the policy and
|
|
then use the checkmodule utility to create a binary representation (.mod) of
|
|
the policy source file.
|
|
Please note that for successful policy compilation, a checkpolicy package
|
|
must be installed in the system.
|
|
|
|
Usage example:
|
|
|
|
# checkmodule -M -m -o drweb.mod drweb.te
|
|
|
|
3. Create a policy module (drweb.pp) with the use of semodule_package utility.
|
|
|
|
Example:
|
|
|
|
# semodule_package -o drweb.pp -m drweb.mod
|
|
|
|
4. To install a new policy module into the policy modules store, use semodule
|
|
utility.
|
|
|
|
Example:
|
|
|
|
# semodule -i drweb.pp
|
|
|
|
5. During its operation, Dr.Web SpIDer Guard uses libdw_notify.so library. In
|
|
order to avoid errors in library operation, SELinux must assign correct label
|
|
to the library file. For this purpose, reindex the file system with automatic
|
|
reassigning of file labels.
|
|
To instruct SELinux to reindex the files, create .autorelabel file in the
|
|
root directory and restart the operating system, for example, with the use of
|
|
the following commands:
|
|
# touch /.autorelabel
|
|
# reboot
|
|
|
|
After system restart, SELinux security subsystem will be configured to enable
|
|
correct operation of Dr.Web Anti-virus for Linux.
|
|
|
|
|
|
For details on how to configure SELinux and on its operation features, refer to
|
|
documentation for the used Linux distribution. |