Configuring permissions in the SELinux system

To configure SELinux for operation of Kaspersky Endpoint Security:

  1. Switch SELinux to permissive mode:
    • If SELinux has been activated, execute the following command:

      # setenforce Permissive

    • If SELinux was disabled, in the configuration file /etc/selinux/config, specify the SELINUX=permissive parameter value, and restart the operating system.
  2. Ensure that the semanage utility is installed on the operating system. If it is not installed, install the policycoreutils-python* package.
  3. Install the Kaspersky Endpoint Security package.

    Relabeling will be performed automatically when the package installation completes.

  4. If you use the custom SELinux policy, relabel Kaspersky Endpoint Security binaries under the following paths according to the SELinux policy:
    • /var/opt/kaspersky/kesl/11.1.0.<build number>_<installation timestamp>/opt/kaspersky/kesl/libexec/kesl
    • /var/opt/kaspersky/kesl/11.1.0.<build number>_<installation timestamp>/opt/kaspersky/kesl/bin/kesl-control
    • /var/opt/kaspersky/kesl/11.1.0.<build number>_<installation timestamp>/opt/kaspersky/kesl/libexec/kesl-gui
    • /var/opt/kaspersky/kesl/11.1.0.<build number>_<installation timestamp>/opt/kaspersky/kesl/shared/kesl-supervisor
  5. Run the Kaspersky Endpoint Security configuration script:

    # /opt/kaspersky/kesl/bin/kesl-setup.pl

  6. Run the following tasks:
    • File Threat Protection task:

      kesl-control --start-task 1

    • Boot sector scan task:

      kesl-control --start-task 4 -W

    • Process and kernel memory scan task:

      kesl-control --start-task 5 -W

    It is recommended to run all the tasks that you plan to run while using Kaspersky Endpoint Security.

  7. Ensure that there are no errors in the audit.log file:

    grep kesl /var/log/audit/audit.log

  8. If there are errors, create and load a new rules module on the basis of blocking records in order to fix the errors, and then run all the tasks that you plan to run while using Kaspersky Endpoint Security.

    If new audit messages related to Kaspersky Endpoint Security appear, the rules module file needs to be updated.

  9. Switch SELinux to enforcing mode:

    # setenforce Enforcing

If you install the application updates and custom SELinux policy is used, you need to relabel Kaspersky Endpoint Security binaries manually (repeat steps 1, 4, 6, 7, 8 and 9 of this procedure).

For additional information, please refer to the documentation on the relevant operating system.

Page top