When SELinux configuration is set to enabled and targeted, the following alert might appear in the system log:
[TIMESTAMP] [HOSTNAME] python: SELinux is preventing [/PATH/BINARY] from 'read, write' accesses on the file /var/opt/ds_agent/dsa_core/ds_agent.db-shm.
***** Plugin leaks (86.2 confidence) suggests *****************************
If you want to ignore [BINARY] trying to read write access the ds_agent.db-shm file, because you believe it should not need this access. Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
ausearch -x [/PATH/BINARY] --raw | audit2allow -D -M [POLICYNAME]
semodule -i POLICYNAME.pp
To resolve the issue, create custom SELinux policy with Audit2allow:
- Connect to the Deep Security Agent console as a root user.
- Run the following commands to create a custom policy that will allow access to Deep Security Agent files:
# cd /tmp
# grep ds_agent /var/log/audit/audit* | audit2allow -M ds_agent
# semodule -i ds_agent.pp
- Restart the ds_agent.
- Check system messages and confirm that there are no alerts related to ds_agent.
# cat /var/log/messages | grep ds_agent
- If there are still some alerts showing, run again the command from Step 2. This will update the existing policy and re-apply it.
To remove the SELinux policy, use the following command
# semodule -r ds_agent