Troubleshoot SELinux alerts

To check if SELinux is enabled, use the sestatus command.

SELinux blocks the Deep Security Agent service

When the SELinux policy is set to enable and it blocks the Deep Security Agent service, the following alert sample might appear in the system audit log /var/log/audit/audit.log or SELinux log /var/log/audit.log:

[TIMESTAMP] [HOSTNAME] python: SELinux is preventing [/PATH/BINARY] from 'read, write' accesses on the file /var/opt/ds_agent/dsa_core/ds_agent.db-shm.

***** Plugin leaks (86.2 confidence) suggests *****************************

If you want to ignore [BINARY] trying to read write access the ds_agent.db-shm file because you believe it should not need this access. Then you should report this as a bug.

You can generate a local policy module to dontaudit this access.

ausearch -x [/PATH/BINARY] --raw | audit2allow -D -M [POLICYNAME]

semodule -i POLICYNAME.pp

To resolve the issue, create a custom SELinux policy with Audit2allow, as follows:

Connect to the Deep Security Agent system as a root user.
Run the following commands to create a custom policy that will allow access to Deep Security Agent files:

cd /tmp

grep ds_agent /var/log/audit/audit* | audit2allow -M ds_agent

semodule -i ds_agent.pp

Restart the ds_agent service.
Execute the following command to check the system messages and confirm that there are no alerts related to ds_agent.

cat /var/log/messages | grep ds_agent

If alerts still occur, rerun the commands from step 2 to update and reapply the existing policy.

To remove the SELinux policy, use the following command:

semodule -r ds_agent.

Berkeley Packet Filter (BPF) operations blocked

This issue can occur under the following conditions:

The agent OS is Red Hat Enterprise Linux 7 (64-bit).
SELinux is enabled in enforcing mode.
The Advanced TLS Traffic Inspection feature is enabled on the agent.

An alert similar to the following might appear in the system audit log /var/log/audit/audit.log or SELinux log /var/log/audit.log:

type=AVC msg=audit(1682773485.952:1080): avc: denied { map_create } for pid=12807 comm="ds_nuagent" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=bpf permissive=0

type=SYSCALL msg=audit(1682773485.952:1080): arch=c000003e syscall=321 success=no exit=-13 a0=0 a1=c000a25800 a2=2c a3=0 items=0 ppid=12802 pid=12807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ds_nuagent" exe="/opt/ds_agent/nuagent/ds_nuagent" subj=system_u:system_r:unconfined_service_t:s0 key=(null)

To resolve the issue, follow these steps to create a custom SELinux policy:

Connect to the Deep Security Agent system as a root user.
Create a Type Enforcement file named nuagent.te:

module nuagent 1.0;

require {

type unconfined_service_t;

class bpf { map_create map_read map_write prog_load prog_run };

}

#============= unconfined_service_t ==============

allow unconfined_service_t self:bpf { map_create map_read map_write prog_load prog_run };

Run the following commands to create a custom policy that allows bpf access for ds_nuagent:

checkmodule -M -m -o nuagent.mod nuagent.te

semodule_package -o nuagent.pp -m nuagent.mod

semodule -i nuagent.pp

Restart the ds_agent service.

Note that Deep Security Agent version 20.0.0-8137+ added support for a new process called tm_netagent. The ds_nuagent process is still supported and the process names can be used interchangeably.