Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Troubleshooting SELinux alerts in Deep Security Agent (DSA)

    • Updated:
    • 17 Jul 2018
    • Product/Version:
    • Deep Security 10.0
    • Deep Security 10.1
    • Deep Security 10.2
    • Deep Security 10.3
    • Deep Security 11.0
    • Deep Security 9.6
    • Platform:
    • CentOS 7.0 64-bit
    • Linux - Red Hat RHEL 7 64-bit
Summary

When SELinux configuration is set to enabled and targeted, the following alert might appear in the system log:

[TIMESTAMP] [HOSTNAME] python: SELinux is preventing [/PATH/BINARY] from 'read, write' accesses on the file /var/opt/ds_agent/dsa_core/ds_agent.db-shm.
***** Plugin leaks (86.2 confidence) suggests *****************************
If you want to ignore [BINARY] trying to read write access the ds_agent.db-shm file, because you believe it should not need this access. Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
ausearch -x [/PATH/BINARY] --raw | audit2allow -D -M [POLICYNAME]
semodule -i POLICYNAME.pp
Details
Public

To resolve the issue, create custom SELinux policy with Audit2allow:

  1. Connect to the Deep Security Agent console as a root user.
  2. Run the following commands to create a custom policy that will allow access to Deep Security Agent files:

    # cd /tmp
    # grep ds_agent /var/log/audit/audit* | audit2allow -M ds_agent
    # semodule -i ds_agent.pp

  3. Restart the ds_agent.
  4. Check system messages and confirm that there are no alerts related to ds_agent.

    # cat /var/log/messages | grep ds_agent

  5. If there are still some alerts showing, run again the command from Step 2. This will update the existing policy and re-apply it.

To remove the SELinux policy, use the following command

# semodule -r ds_agent

Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1120367
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.