Configuring permissions in the SELinux system
20 January 2022
ID 196986
To configure SELinux for operation of Kaspersky Endpoint Security:
- Switch SELinux to permissive mode:
- If SELinux has been activated, execute the following command:
# setenforce Permissive
- If SELinux was disabled, in the configuration file
/etc/selinux/config
, specify theSELINUX=permissive
parameter value, and restart the operating system.
- If SELinux has been activated, execute the following command:
- Ensure that the semanage utility is installed on the operating system. If it is not installed, install the policycoreutils-python* package.
- Install the Kaspersky Endpoint Security package.
- Relabel Kaspersky Endpoint Security binaries with bin_t by using the following commands:
semanage fcontext -a -t bin_t <binary>
restorecon -v <binary>
Here,
<binary>
are the binaries under the following paths:- /var/opt/kaspersky/kesl/10.1.4.<build number>_<installation timestamp>/opt/kaspersky/kesl/libexec/kesl
- /var/opt/kaspersky/kesl/10.1.4.<build number>_<installation timestamp>/opt/kaspersky/kesl/bin/kesl-control
- /var/opt/kaspersky/kesl/10.1.4.<build number>_<installation timestamp>/opt/kaspersky/kesl/libexec/kesl-gui
- /var/opt/kaspersky/kesl/10.1.4.<build number>_<installation timestamp>/opt/kaspersky/kesl/shared/kesl-supervisor
If you use the custom SELinux policy, relabel Kaspersky Endpoint Security binaries according to the SELinux policy.
- Run the Kaspersky Endpoint Security configuration script:
# /opt/
kaspersky/kesl/bin/kesl-setup.pl
- Run the following tasks:
- File Threat Protection task:
kesl-control --start-task 1
- Boot sector scan task:
kesl-control --start-task 4 -W
- System memory scan task:
kesl-control --start-task 5 -W
It is recommended to run all the tasks that you plan to run while using Kaspersky Endpoint Security.
- File Threat Protection task:
- Ensure that there are no errors in the audit.log file:
grep kesl /var/log/audit/audit.log
If there are errors, create and load a new rules module on the basis of blocking records in order to fix the errors, and then run all the tasks that you plan to run while using Kaspersky Endpoint Security.
If new audit messages related to Kaspersky Endpoint Security appear, the rules module file needs to be updated.
- Switch SELinux to enforcing mode:
# setenforce Enforcing
If you install the application updates, you need to relabel Kaspersky Endpoint Security binaries again (repeat steps 1, 4, 6, 7, and 8 of this procedure).
For additional information, please refer to the documentation on the relevant operating system.