cutemeli/server
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7639f2d1fd37a6cfb6fc9ffdee242812f006b234
server/opt/drweb/doc/readme.selinux
cutemeli 2adfbd9ea7 .gitignore angepasst
2026-01-07 20:52:11 +01:00

173 lines
7.7 KiB
Plaintext
Raw Blame History

Dr.Web Anti-virus for Linux
(Desktop Security Suite)
v. 6.0.2
Installation notes for operating systems containing
SELinux security subsystem
=============================================================================
This document is a property of Doctor Web. No part of this document may be
reproduced, published or transmitted in any form or by any means for any
other purpose than the purchaser's personal use without proper attribution.
Dr.Web is the registered trademark of Doctor Web, Ltd.
Linux is the registered trademark of Linus Torvalds in the U.S. and other
countries.
Other trademarks, registered trademarks and company names used in this
document are property of their respective owners.
There might be improvements and changes in the software not described in
this manual. The corrected and supplemented versions of this manual are
available at the official website of Doctor Web at http://www.drweb.com/.
=============================================================================
(C) Doctor Web, Ltd., 1992-2013
Russian Federation, Moscow - Saint-Petersburg
http://www.drweb.com/
If the used Linux distribution features SELinux security subsystem (Security-
Enhanced Linux), you need to configure security policies used by SELinux in
order to enable correct operation of anti-virus components (Dr.Web Daemon,
Dr.Web Console Scanner and Dr.Web SpIDer Guard) after the installation.
Note that if after installation of Dr.Web Anti-virus for Linux, SELinux security
policies are not configured, user authentication (including superuser root
authentication) and remote access to the system via SSH may be blocked.
Moreover, if SELinux is enabled, product installation from distribution packages
(.run) can fail because an attempt to create drweb user, whose privileges are
used by Dr.Web Anti-virus for Linux, will be blocked.
Thus, before installing the product, check SELinux operation mode with the use
of getenforce command. This command outputs the current operation mode which can
be one of the following:
* Permissive - protection is active, but permissions are supported: actions
that violate the security are not denied but logged.
* Enforced - protection is active and restrictions are enforced: actions that
violate the security are logged and blocked.
* Disabled - SELinux is installed but not active.
If SELinux is operating in the Enforced mode, temporarily (until the product is
installed and security policies are configured) enable Permissive mode. To do
this, enter the setenforce 0 command that temporarily (until the next restart)
sets SELinux operation mode to Permissive. To enable the Enforced mode again,
enter the setenforce 1 command.
Note that regardless of the mode enabled with the setenforce command, after
system restart SELinux will operate in the mode specified in the settings
(normally, SELinux configuration file is located in the /etc/selinux directory).
In general, if audit daemon is used, the log resides in /var/log/audit/audit.log
file. Otherwise, notifications on forbidden actions are logged to the following
log file: /var/log/messages.
For correct operation of anti-virus components when SELinux is enabled, compile
special security policies once the product installation completes.
Please note that some Linux distributions may not have the below mentioned
utilities installed by default. In this case you need to additionally install
the required utility packages.
To create required policies:
1. Create a new file with SELinux policies source code (.te file). The file
defines restrictions applied to the described module. The source file can be
created in one of the two ways:
1) With the use of audit2allow utility. This way is more simple. The utility
generates permissive rules based on the messages on denial of access to
system log files. You can set automatic search of messages in log files
or set path to the log file manually.
audit2allow utility resides in the policycoreutils-python package, or
policycoreutils-devel package (for RedHat Enterprise Linux, CentOS Linux,
Fedora Linux, depending on the version), or python-sepolgen package (for
Debian, Ubuntu Linux).
Example usage:
# audit2allow -M drweb -i /var/log/audit/audit.log
OR
# cat /var/log/audit/audit.log | audit2allow -M drweb
In this example, audit2allow utility searches for access denied messages
in the audit.log file.
# audit2allow -a -M drweb
In this example, audit2allow searches for access denied messages in log
files automatically.
In both cases two files are created as a result of the utility operation:
drweb.te policy source file and drweb.pp policy module which is ready for
installation.
In most cases you do not need to adjust policies created by the utility.
So, it is recommended to go to step 4 for installation of the drweb.pp
policy module. Note that audit2allow utility outputs semodule command
invocation string. Copy the string to the command line and execute. That
way, you will do instructions of step 4. Go to step 2 only if you want to
adjust the policies which are automatically formed for Dr.Web Anti-virus
components.
2) With the use of policygentool utility. As a parameter, specify the name
of the module which operation you want to configure and the path to its
executable file.
Note that policygentool utility included in selinux-policy package for
RedHat Enterprise Linux and CentOS Linux might not function correctly. In
this case, use audit2allow utility.
Example of creating policies with policygentool:
- For Dr.Web Console Scanner:
# policygentool drweb-scanner /opt/drweb/drweb.real
- For Dr.Web Daemon:
# policygentool drweb-daemon /opt/drweb/drwebd.real
You will be prompted to get information on some domain features and then
for each of the modules, three files will be created which determine the
policy: [module_name].te, [module_name].fc and [module_name].if.
2. If necessary, edit generated source file [module_name].te of the policy and
then use the checkmodule utility to create a binary representation (.mod) of
the policy source file.
Please note that for successful policy compilation, a checkpolicy package
must be installed in the system.
Usage example:
# checkmodule -M -m -o drweb.mod drweb.te
3. Create a policy module (drweb.pp) with the use of semodule_package utility.
Example:
# semodule_package -o drweb.pp -m drweb.mod
4. To install a new policy module into the policy modules store, use semodule
utility.
Example:
# semodule -i drweb.pp
5. During its operation, Dr.Web SpIDer Guard uses libdw_notify.so library. In
order to avoid errors in library operation, SELinux must assign correct label
to the library file. For this purpose, reindex the file system with automatic
reassigning of file labels.
To instruct SELinux to reindex the files, create .autorelabel file in the
root directory and restart the operating system, for example, with the use of
the following commands:
# touch /.autorelabel
# reboot
After system restart, SELinux security subsystem will be configured to enable
correct operation of Dr.Web Anti-virus for Linux.
For details on how to configure SELinux and on its operation features, refer to
documentation for the used Linux distribution.
Reference in New Issue View Git Blame Copy Permalink