Configuring SELinux to work with the SEP Linux Client
search cancel

Configuring SELinux to work with the SEP Linux Client

book

Article ID: 369785

calendar_today

Updated On:

Products

Endpoint Security Complete

Issue/Introduction

SELinux is blocking the SEP Linux client from running properly after install

Cause

SELinux is set to enforce mode and blocks the drivers/daemons from installing or starting up

Resolution

Prerequisites: a privileged account (root), tty console is strongly recommended, not pty (i.e. ssh session). An operator may need to install a certificate for kernel module key signing into UEFI partition in case their system is configured with Secure Boot
 
1) Validate Linux Kernel Version
Check Linux kernel version and current supported kernel version list of SEP Linux (Symantec Agent for Linux) web site.
 
For example, SEP Linux 14.3 RU8 is distributed as SAL 1.3. The current supported kernel version list is found at:
Then RHEL8 selection shows the following kernel is supported by KMOD version 10.0.6.2250.

# uname -r
4.18.0-513.24.1.el8_9.x86_64
 
If not found, the most likely reason is SEP Linux KMOD is not released yet. Broadcom conducts Bi-weekly releases of Linux Kmod to catch up with upstream kernel releases of OS vendors. Please contact Support or revisit the above URL frequently
 
2) Determine SELinux Status
 
Find out if SELinux is in enforce mode from config file, and ensure current runtime matches the SELinux mode
 
example: SELinux is enabled, permissive mode

# cat /etc/selinux/config | grep ^SELINUX=
SELINUX=permissive

# getenforce
Permissive

example: SELinux is disabled

# cat /etc/selinux/config | grep ^SELINUX=
SELINUX=disabled
# getenforce

Disabled

**If the current SELinux state is unsure, or if SELinux was enabled for the first time, reboot the system. SELinux will be in the desired state once the system is rebooted
 
3) Disable SELinux(or set to permissive) for the client install
 
4) install SEP Linux client/agent(or uninstall (see below) then re-install it if SELinux was set to enforce)
 
5) Reboot the client machine after install
 
6) Check the status of the daemons/drivers: 

 # ./LinuxInstaller
 
Configuring Repo (linux-repo.us.securitycloud.symantec.com) ..

Symantec Agent for Linux

(snip.)

Daemon status:
cafagent running
sisamdagent running
sisidsagent running
sisipsagent running

Module status:

sisevt loaded
sisap loaded

**To uninstall SEP Linux
# /usr/lib/symantec/uninstall.sh

Stopping Agent..
Uninstalling Symantec Agent for Linux
Symantec Endpoint Protection (SEPM) ...
Removing packages sdcss-caf sdcss sdcss-kmod sdcss-scripts

 
There is an extra operation or command that may be necessary (i.e. certificate installation into UEFI partition), it is prompted at the end of the installer script
 
If you need an offline installation, SEP Linux Packager (seplpkg command) is available. It creates a custom SEP Linux installer (LinuxInstaller command) with stub installer.

https://linux-repo.us.securitycloud.symantec.com/seplpkg/index.html 

Powered by Wolken Software