Troubleshoot SELinux alerts

To check if SELinux is enabled, enter the following command: sestatus.

When the SELinux policy is set to enable and block ds_agent, the following alert sample might appear in the system log or SELinux log (/var/log/audit/audit.log or /var/log/audit.log):

[TIMESTAMP] [HOSTNAME] python: SELinux is preventing [/PATH/BINARY] from 'read, write' accesses on the file /var/opt/ds_agent/dsa_core/ds_agent.db-shm.

***** Plugin leaks (86.2 confidence) suggests *****************************

If you want to ignore [BINARY] trying to read write access the ds_agent.db-shm file, because you believe it should not need this access. Then you should report this as a bug.

You can generate a local policy module to dontaudit this access.


ausearch -x [/PATH/BINARY] --raw | audit2allow -D -M [POLICYNAME]

semodule -i POLICYNAME.pp

To resolve the issue, create a custom SELinux policy with Audit2allow:

  1. Connect to the Deep Security Agent as a root user.
  2. Run the following commands to create a custom policy that will allow access to Deep Security Agent files:
  3. cd /tmp

    grep ds_agent /var/log/audit/audit* | audit2allow -M ds_agent

    semodule -i ds_agent.pp

  4. Restart the ds_agent.
  5. Check the system messages and confirm that there are no alerts related to ds_agent.
  6. cat /var/log/messages | grep ds_agent

  7. If alerts are still occurring, run the commands from step 2 again. This will update the existing policy and re-apply it.

To remove the SELinux policy, use the following command: semodule -r ds_agent.