Table of contents

Troubleshoot SELinux alerts

To check if SELinux is enabled, use the sestatus command.

SELinux blocks the Deep Security Agent service

When the SELinux policy is set to enable and it blocks the Deep Security Agent service, the following alert sample might appear in the system audit log or SELinux log (/var/log/audit/audit.log or /var/log/audit.log):

[TIMESTAMP] [HOSTNAME] python: SELinux is preventing [/PATH/BINARY] from 'read, write' accesses on the file/var/opt/ds_agent/dsa_core/ds_agent.db-shm.
*****  Plugin leaks (86.2 confidence) suggests   *****************************
If you want to ignore [BINARY] trying to read write access the ds_agent.db-shm file, because you believe it should not need this access.  Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
ausearch -x [/PATH/BINARY] --raw | audit2allow -D -M [POLICYNAME]
semodule -i POLICYNAME.pp

To resolve the issue, create a custom SELinux policy with Audit2allow:

  1. Connect to the Deep Security Agent system as a root user.
  2. Run the following commands to create a custom policy that will allow access to agent files:

    cd /tmp

    grep ds_agent /var/log/audit/audit\* | audit2allow -M ds_agent

    semodule -i ds_agent.pp

  3. Restart the ds_agent service.

  4. Check the system messages and confirm that there are no alerts related to ds_agent. cat /var/log/messages | grep ds_agent
  5. If alerts still occur, re-run the commands from step 2. This will update and re-apply the existing policy.

To remove the SELinux policy, use the following command: semodule -r ds_agent.

Berkeley Packet Filter (BPF) operations blocked

This issue can occur under the following conditions:

An alert similar to this sample might appear in the system log or SELinux log (/var/log/audit/audit.log or /var/log/audit.log):

type=AVC msg=audit(1682773485.952:1080): avc:  denied  { map_create } for  pid=12807 comm="ds_nuagent" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=bpf permissive=0
type=SYSCALL msg=audit(1682773485.952:1080): arch=c000003e syscall=321 success=no exit=-13 a0=0 a1=c000a25800 a2=2c a3=0 items=0 ppid=12802 pid=12807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ds_nuagent" exe="/opt/ds_agent/nuagent/ds_nuagent" subj=system_u:system_r:unconfined_service_t:s0 key=(null)

To resolve the issue, follow these steps to create a custom SELinux policy:

  1. Connect to the Deep Security Agent system as a root user.
  2. Create a Type Enforcement file named "nuagent.te":

    module nuagent 1.0;
    require {
        type unconfined_service_t;
        class bpf { map_create map_read map_write prog_load prog_run };
    }
    #============= unconfined_service_t ==============
    allow unconfined_service_t self:bpf { map_create map_read map_write prog_load prog_run };
  3. Run these commands to create a custom policy that allows bpf access for ds_nuagent:

    checkmodule -M -m -o nuagent.mod nuagent.te

    semodule_package -o nuagent.pp -m nuagent.mod

    semodule -i nuagent.pp

  4. Restart the ds_agent service.