Table of contents

Troubleshoot SELinux alerts

To check if SELinux is enabled, use the sestatus command.

SELinux blocks the Deep Security Agent service

When the SELinux policy is set to enable and it blocks the Deep Security Agent service, the following alert sample might appear in the system audit log /var/log/audit/audit.log or SELinux log /var/log/audit.log:

[TIMESTAMP] [HOSTNAME] python: SELinux is preventing [/PATH/BINARY] from 'read, write' accesses on the file/var/opt/ds_agent/dsa_core/ds_agent.db-shm.
*****  Plugin leaks (86.2 confidence) suggests   *****************************
If you want to ignore [BINARY] trying to read write access the ds_agent.db-shm file, because you believe it should not need this access.  Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
ausearch -x [/PATH/BINARY] --raw | audit2allow -D -M [POLICYNAME]
semodule -i POLICYNAME.pp

To resolve the issue, create a custom SELinux policy with Audit2allow, as follows:

  1. Connect to the Deep Security Agent system as a root user.
  2. Run the following commands to create a custom policy that will allow access to agent files:

    shell cd /tmp grep ds_agent /var/log/audit/audit\* | audit2allow -M ds_agent semodule -i ds_agent.pp

  3. Restart the ds_agent service.

  4. Execute the following command to check the system messages and confirm that there are no alerts related to ds_agent: cat /var/log/messages | grep ds_agent
  5. If alerts still occur, rerun the commands from step 2 to update and reapply the existing policy.

To remove the SELinux policy, use the following command:

semodule -r ds_agent

Berkeley Packet Filter (BPF) operations blocked

This issue can occur under the following conditions:

An alert similar to the following might appear in the system log /var/log/audit/audit.log or SELinux log /var/log/audit.log:

type=AVC msg=audit(1682773485.952:1080): avc:  denied  { map_create } for  pid=12807 comm="ds_nuagent" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=bpf permissive=0
type=SYSCALL msg=audit(1682773485.952:1080): arch=c000003e syscall=321 success=no exit=-13 a0=0 a1=c000a25800 a2=2c a3=0 items=0 ppid=12802 pid=12807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ds_nuagent" exe="/opt/ds_agent/nuagent/ds_nuagent" subj=system_u:system_r:unconfined_service_t:s0 key=(null)

To resolve the issue, follow these steps to create a custom SELinux policy:

  1. Connect to the Deep Security Agent system as a root user.
  2. Create a Type Enforcement file named nuagent.te:

    module nuagent 1.0;
    require {
        type unconfined_service_t;
        class bpf { map_create map_read map_write prog_load prog_run };
    }
    #============= unconfined_service_t ==============
    allow unconfined_service_t self:bpf { map_create map_read map_write prog_load prog_run };
  3. Run the following commands to create a custom policy that allows bpf access for ds_nuagent:

    checkmodule -M -m -o nuagent.mod nuagent.te
    semodule_package -o nuagent.pp -m nuagent.mod
    semodule -i nuagent.pp
  4. Restart the ds_agent service.

Deep Security Agent version 20.0.0-8137 and later added support for a new process called tm_netagent. The ds_nuagent process is still supported and the process names can be used interchangeably.