Auto-Protect kernel modules fail to load with SELinux set to enforcing.

book

Article ID: 184910

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When attempting to install Endpoint Protection (SEP) client on a Linux system, the Auto-Protect kernel modules fail to load. 
 

Mon Jan 27 21:40:19 CAT 2020: Build succeeded
Stopping smcd (via systemctl):                             [  OK  ]
Stopping rtvscand (via systemctl):                         [  OK  ]
Stopping symcfgd (via systemctl):                          [  OK  ]
CONFIG_RETPOLINE=y
insmod: ERROR: could not insert module /opt/Symantec/autoprotect/.symevrm-custom-4.14.35-1902.7.3.1.el7uek-x86_64.ko: Permission denied
.symevrm: unable to load kernel support module (UNSUPPORTED-OS-or-UNK-UNK-4.14.35-1902.7.3.1.el7uek-x86_64)
Restarting autoprotect (via systemctl):  Job for autoprotect.service failed because the control process exited with error code. See "systemctl status autoprotect.service" and "journalctl -xe" for details.
                                                           [FAILED]
kernel drivers are not loaded.
Starting symcfgd (via systemctl).

Cause

The default SELinux Policy will prevent the Auto-Protect kernel modules from loading. 

Environment

Oracle Linux 7

Resolution

To allow the the Auto-Protect kernel modules to load, you can either disable enforcement of the SELinux policy or create a custom SELinux policy to allow the Auto-Protect kernel modules.

To disable SELinux enforcement:

  1. Open the following file in a text editor: /etc/selinux/config
  2. Change SELINUX=enforcing to either SELINUX=disabled or SELINUX=permissive

    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #       enforcing - SELinux security policy is enforced.
    #       permissive - SELinux prints warnings instead of enforcing.
    #       disabled - No SELinux policy is loaded.
    SELINUX=disabled
    # SELINUXTYPE= can take one of these two values:
    #       targeted - Targeted processes are protected,
    #       mls - Multi Level Security protection.
    SELINUXTYPE=targeted

  1. Restart the computer.  

To create a custom SELinux policy, you can use the audit2allow utility. 

  1. Install audit2allow.  (On Red-Hat based distros this is usually yum install policycoreutils-python)
  2. Run the following command:

ausearch -c 'insmod' --raw
    
You should see entries similar to the following:

type=AVC msg=audit(1580151264.883:178): avc:  denied  { module_load } for  pid=3871 comm="insmod" path="/opt/Symantec/autoprotect/symev-custom-4.14.35-1902.7.3.1.el7uek-x86_64.ko" dev="dm-0" ino=134307803 scontext=system_u:system_r:insmod_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=system permissive=0
type=SYSCALL msg=audit(1580151264.883:178): arch=c000003e syscall=313 success=no exit=-13 a0=3 a1=41a9ee a2=0 a3=3 items=0 ppid=3807 pid=3871 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="insmod" exe="/usr/bin/kmod" subj=system_u:system_r:insmod_t:s0 key=(null)
type=PROCTITLE msg=audit(1580151264.883:178): proctitle=2F7362696E2F696E736D6F64002F6F70742F53796D616E7465632F6175746F70726F746563742F73796D65762D637573746F6D2D342E31342E33352D313930322E372E332E312E656C3775656B2D7838365F36342E6B6F

type=AVC msg=audit(1580151264.764:177): avc:  denied  { module_load } for  pid=3793 comm="insmod" path="/opt/Symantec/autoprotect/.symevrm-custom-4.14.35-1902.7.3.1.el7uek-x86_64.ko" dev="dm-0" ino=134307804 scontext=unconfined_u:system_r:insmod_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=system permissive=0
type=SYSCALL msg=audit(1580151264.764:177): arch=c000003e syscall=313 success=no exit=-13 a0=3 a1=41a9ee a2=0 a3=3 items=0 ppid=3727 pid=3793 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="insmod" exe="/usr/bin/kmod" subj=unconfined_u:system_r:insmod_t:s0 key=(null)
type=PROCTITLE msg=audit(1580151264.764:177): proctitle=2F7362696E2F696E736D6F64002F6F70742F53796D616E7465632F6175746F70726F746563742F2E73796D6576726D2D637573746F6D2D342E31342E33352D313930322E372E332E312E656C3775656B2D7838365F36342E6B6F

  1. Now pull the file path for symev-custom and .symevrm-custom and run the following commands:

 ausearch -c 'insmod' -f '/opt/Symantec/autoprotect/symev-custom-4.14.35-1902.7.3.1.el7uek-x86_64.ko' --raw | audit2allow -M symev-insmod
 semodule -i symev-insmod.pp
 ausearch -c 'insmod' -f '/opt/Symantec/autoprotect/.symevrm-custom-4.14.35-1902.7.3.1.el7uek-x86_64.ko' --raw | audit2allow -M symevrm-insmod
 semodule -i symevrm-insmod.pp