Configuring permissions in the SELinux system
If automatic configuration of SELinux is not possible during the initial setup of the application, or if you declined automatic configuration, you can manually configure SELinux to work with Kaspersky Industrial CyberSecurity for Linux Nodes.
To configure SELinux to work with Kaspersky Industrial CyberSecurity for Linux Nodes:
- Switch SELinux to permissive mode:
- If SELinux has been activated, run the following command:
# setenforce Permissive
If SELinux was disabled, set the SELINUX = permissive
parameter in the configuration file / etc / selinux / config and restart the operating system.
- If SELinux has been activated, run the following command:
- Make sure the semanage utility is installed on the system. If the utility is not installed, install the policycoreutils-python * package.
- If you are using a custom SELinux policy that is different from the default targeted policy, assign a label to the following Kaspersky Industrial CyberSecurity for Linux Nodes source executable files in accordance with the SELinux policy in use:
- /var/opt/kaspersky/kics/1.3.0.<build number>_<installation time stamp>/opt/kaspersky/kics/libexec/kics
- /var/opt/kaspersky/kics/1.3.0.<build number>_<installation time stamp>/opt/kaspersky/kics/bin/kics-control
- /var/opt/kaspersky/kics/1.3.0.<build number>_<installation time stamp>/opt/kaspersky/kics/libexec/kics-gui
- /var/opt/kaspersky/kics/1.3.0.<build number>_<installation timestamp>/opt/kaspersky/kics/shared/kics
- /var/opt/kaspersky/kics/1.3.0.<build number>_<installation timestamp>/opt/kaspersky/kics/bin/aushape
- /var/opt/kaspersky/kics/1.3.0.<build number>_<installation timestamp>/opt/kaspersky/kics/libexec/aushape-audispd-plugin
- /var/opt/kaspersky/kics/1.3.0.<build number>_<installation timestamp>/opt/kaspersky/kics/lib64/agent/libaushape.so.0
- Run the following tasks:
- File Threat Protection task:
kics-control --start-task 1
- The Critical Areas scan task:
kics-control --start-task 4 -W
- Kaspersky Industrial CyberSecurity for Networks Integration task
kics-control --start-task 23
It is recommended to run all tasks that you plan to run when using Kaspersky Industrial CyberSecurity for Linux Nodes.
- File Threat Protection task:
- Start the graphical user interface if you plan to use it.
- Ensure that there are no errors in the audit.log file:
grep kics /var/log/audit/audit.log
- If there are errors in the audit.log file, create and load a new rules module based on blocking entries to resolve the errors, and rerun the tasks that you plan to run when using Kaspersky Industrial CyberSecurity for Linux Nodes.
If new audit messages related to Kaspersky Industrial CyberSecurity for Linux Nodes appear, you need to update the rules module file.
- Switch SELinux to blocking mode:
# setenforce Enforcing
If you use a custom SELinux policy, after installing application updates, manually assign a label to the original executable files of Kaspersky Industrial CyberSecurity for Linux Nodes (follow steps 1, 3–8).
You can find more information in the documentation for your operating system.