Troubleshooting SELinux alerts in Deep Security Agent (DSA)

Product / Version includes:

Deep Security9.6 , Deep Security11.0 , Deep Security10.0

Last updated: 2021/08/28

Solution ID: KA-0008565

Category: Troubleshoot

Summary

When SELinux configuration is set to enabled and targeted, the following alert might appear in the system log:

[TIMESTAMP] [HOSTNAME] python: SELinux is preventing [/PATH/BINARY] from 'read, write' accesses on the file /var/opt/ds_agent/dsa_core/ds_agent.db-shm.
  *****  Plugin leaks (86.2 confidence) suggests   *****************************
  If you want to ignore [BINARY] trying to read write access the ds_agent.db-shm file, because you believe it should not need this access.  Then you should report this as a bug. 
  You can generate a local policy module to dontaudit this access.
  Do
  ausearch -x [/PATH/BINARY] --raw | audit2allow -D -M [POLICYNAME]
  semodule -i POLICYNAME.pp

To resolve the issue, create custom SELinux policy with Audit2allow:

Connect to the Deep Security Agent console as a root user.
Run the following commands to create a custom policy that will allow access to Deep Security Agent files:
# cd /tmp
# grep ds_agent /var/log/audit/audit* | audit2allow -M ds_agent
# semodule -i ds_agent.pp
Restart the ds_agent.
Check system messages and confirm that there are no alerts related to ds_agent.
# cat /var/log/messages | grep ds_agent
If there are still some alerts showing, run again the command from Step 2. This will update the existing policy and re-apply it.

To remove the SELinux policy, use the following command

# semodule -r ds_agent

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Troubleshooting SELinux alerts in Deep Security Agent (DSA)

Troubleshooting SELinux alerts in Deep Security Agent (DSA)

Product / Version includes:

Summary