Configuring permissive rules in the SELinux system
January 19, 2023
ID 197917
To configure SELinux to work with Kaspersky Endpoint Security:
- Switch SELinux to permissive mode:
- If SELinux has been activated, run the following command:
# setenforce Permissive
If SELinux was disabled, set the SELINUX = permissive
parameter in the configuration file / etc / selinux / config and restart the operating system.
- If SELinux has been activated, run the following command:
- Make sure the semanage utility is installed on the system. If the utility is not installed, install the policycoreutils-python* package.
- Install the Kaspersky Endpoint Security package.
Once the package is installed, the source executables will be automatically labelled.
- If you use a custom SELinux policy rather than the default targeted policy, assign a label for the following Kaspersky Endpoint Security source executable files in accordance with the SELinux policy used:
- /var/opt/kaspersky/kesl/11.2.0.<build number>_<installation timestamp>/opt/kaspersky/kesl/libexec/kesl
- /var/opt/kaspersky/kesl/11.2.0.<build number>_<installation timestamp>/opt/kaspersky/kesl/bin/kesl-control
- /var/opt/kaspersky/kesl/11.2.0.<build number>_<installation timestamp>/opt/kaspersky/kesl/libexec/kesl-gui
- /var/opt/kaspersky/kesl/11.2.0.<build number>_<installation timestamp>/opt/kaspersky/kesl/shared/kesl-supervisor
- Run the Kaspersky Endpoint Security configuration script:
# /opt/kaspersky/kesl/bin/kesl-setup.pl
- Run the following tasks:
- File Threat Protection task:
kesl-control --start-task 1
- Critical Areas Scan task:
kesl-control --start-task 4 -W
It is recommended to run all the tasks that you plan to run while using Kaspersky Endpoint Security.
- File Threat Protection task:
- Ensure that there are no errors in the audit.log file:
grep kesl /var/log/audit/audit.log
- If there are errors in the audit.log file, create and download a new rule module based on the blocking records in order to fix the errors, and then relaunch all the tasks that you plan to run while using Kaspersky Endpoint Security.
If new audit messages related to Kaspersky Endpoint Security appear, the file with the rule module file must be updated.
- Switch SELinux to enforcing mode:
# setenforce Enforcing
If you use a custom SELinux policy, then you will need to manually assign a label to Kaspersky Endpoint Security source executable files after installing the application updates (follow steps 1, 4, 6, 7, 8, and 9).
For additional information, please refer to the documentation on the relevant operating system.