Configuring permissions in the SELinux system

Manually configuring SELinux for working with the application

If SELinux couldn't s be configured automatically during the initial setup of the application, or if you declined automatic configuration, you can manually configure SELinux to work with Kaspersky Endpoint Security.

To manually configure SELinux to work with the application:

  1. Switch SELinux to permissive mode:
    • If SELinux has been activated, run the following command:

      # setenforce Permissive

    • If SELinux was disabled, set the SELINUX=permissive setting in the configuration file / etc / selinux / config and restart the operating system.
  2. Make sure the semanage utility is installed on the system. If the utility is not installed, install the policycoreutils-python or policycoreutils-python-utils package, depending on the package manager.
  3. If you are using a custom SELinux policy instead of the default targeted policy, assign a label to each source executable file of Kaspersky Endpoint Security in accordance with the SELinux policy being used; to do so, run the following commands:

    # semanage fcontext -a -t bin_t <executable file>

    # restorecon -v <executable file>

    where <executable file> is:

    • /var/opt/kaspersky/kesl/12.1.0.<build number>_<installation timestamp>/opt/kaspersky/kesl/libexec/kesl
    • /var/opt/kaspersky/kesl/12.1.0.<build number>_<installation timestamp>/opt/kaspersky/kesl/bin/kesl-control
    • /var/opt/kaspersky/kesl/12.1.0.<build number>_<installation timestamp>/opt/kaspersky/kesl/libexec/kesl-gui
    • /var/opt/kaspersky/kesl/12.1.0.<build number>_<installation timestamp>/opt/kaspersky/kesl/shared/kesl
  4. Run the following tasks:
    • File Threat Protection task:

      kesl-control --start-task 1

    • Critical Areas Scan task:

      kesl-control --start-task 4 -W

    It is recommended to run all the tasks that you plan to run while using Kaspersky Endpoint Security.

  5. Start the graphical user interface if you plan to use it.
  6. Ensure that there are no errors in the audit.log file:

    # grep kesl /var/log/audit/audit.log

  7. If there are errors in the audit.log file, create and download a new rule module based on the blocking records in order to fix the errors, and then relaunch all the tasks that you plan to run while using Kaspersky Endpoint Security; to do so, run the following commands:

    # grep kesl /var/log/audit/audit.log | audit2allow -M kesl

    # semodule -i kesl.pp

    If new audit messages related to Kaspersky Endpoint Security appear, the file with the rule module file must be updated.

  8. Switch SELinux to blocking mode:

    # setenforce Enforcing

If you use a custom SELinux policy, manually assign a label to Kaspersky Endpoint Security source executable files after installing application updates (follow steps 1, 3–8).

You can find more information in the documentation for your operating system.

Configuring SELinux to run the "Start process" task

If SELinux is installed in your operating system in Enforcing mode, starting the Start process task requires additional configuration of SELinux.

To configure SELinux to run the "Start process" task

  1. Switch SELinux to permissive mode:
    • If SELinux has been activated, run the following command:

      # setenforce Permissive

    • If SELinux was disabled, set the SELINUX=permissive setting in the configuration file / etc / selinux / config and restart the operating system.
  2. Make sure the semanage utility is installed on the system. If the utility is not installed, install the policycoreutils-python or policycoreutils-python-utils package, depending on the package manager.
  3. Start the "Start process" task.
  4. Ensure that there are no errors in the audit.log file:

    # grep kesl /var/log/audit/audit.log

  5. If errors are present in the audit.log file, create and load a new rules module based on blocking rules to fix the errors, then run the "Start process" task again.

    # grep kesl /var/log/audit/audit.log | audit2allow -M kesl

    # semodule -i kesl.pp

  6. Switch SELinux to blocking mode:

    # setenforce Enforcing

Page top