Topics on this page
Troubleshoot SELinux alerts
To check if SELinux is enabled, use the sestatus command.
SELinux blocks the Deep Security Agent service
When the SELinux policy is set to enable and it blocks the Deep Security Agent service, the following alert sample might appear in the system audit log /var/log/audit/audit.log or SELinux log /var/log/audit.log:
[TIMESTAMP] [HOSTNAME] python: SELinux is preventing [/PATH/BINARY] from 'read, write' accesses on the file/var/opt/ds_agent/dsa_core/ds_agent.db-shm.
***** Plugin leaks (86.2 confidence) suggests *****************************
If you want to ignore [BINARY] trying to read write access the ds_agent.db-shm file, because you believe it should not need this access. Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
ausearch -x [/PATH/BINARY] --raw | audit2allow -D -M [POLICYNAME]
semodule -i POLICYNAME.ppTo resolve the issue, create a custom SELinux policy with Audit2allow, as follows:
- Connect to the Deep Security Agent system as a root user.
-
Run the following commands to create a custom policy that will allow access to agent files:
shell cd /tmp grep ds_agent /var/log/audit/audit\* | audit2allow -M ds_agent semodule -i ds_agent.pp -
Restart the
ds_agentservice. - Execute the following command to check the system messages and confirm that there are no alerts related to
ds_agent:cat /var/log/messages | grep ds_agent - If alerts still occur, rerun the commands from step 2 to update and reapply the existing policy.
To remove the SELinux policy, use the following command:
semodule -r ds_agentBerkeley Packet Filter (BPF) operations blocked
This issue can occur under the following conditions:
- The agent OS is Red Hat Enterprise Linux 7 (64-bit).
- SELinux is enabled in enforcing mode.
- The Advanced TLS Traffic Inspection feature is enabled on the agent.
An alert similar to the following might appear in the system log /var/log/audit/audit.log or SELinux log /var/log/audit.log:
type=AVC msg=audit(1682773485.952:1080): avc: denied { map_create } for pid=12807 comm="ds_nuagent" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=bpf permissive=0
type=SYSCALL msg=audit(1682773485.952:1080): arch=c000003e syscall=321 success=no exit=-13 a0=0 a1=c000a25800 a2=2c a3=0 items=0 ppid=12802 pid=12807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ds_nuagent" exe="/opt/ds_agent/nuagent/ds_nuagent" subj=system_u:system_r:unconfined_service_t:s0 key=(null)To resolve the issue, follow these steps to create a custom SELinux policy:
- Connect to the Deep Security Agent system as a root user.
-
Create a Type Enforcement file named
nuagent.te:module nuagent 1.0; require { type unconfined_service_t; class bpf { map_create map_read map_write prog_load prog_run }; } #============= unconfined_service_t ============== allow unconfined_service_t self:bpf { map_create map_read map_write prog_load prog_run }; -
Run the following commands to create a custom policy that allows bpf access for
ds_nuagent:checkmodule -M -m -o nuagent.mod nuagent.te semodule_package -o nuagent.pp -m nuagent.mod semodule -i nuagent.pp -
Restart the
ds_agentservice.
Deep Security Agent version 20.0.0-8137 and later added support for a new process called tm_netagent. The ds_nuagent process is still supported and the process names can be used interchangeably.