How to configure SELinux to work with the SEP Linux Client
search cancel

How to configure SELinux to work with the SEP Linux Client

book

Article ID: 369785

calendar_today

Updated On:

Products

Endpoint Security Complete

Issue/Introduction

SELinux is blocking the SEP Linux client from running properly. What steps need to be done to have the SEP Linux Client work properly with SELinux?

Resolution

Prerequisites: need a privileged account (root). tty console is strongly recommended, not pty (i.e. ssh session). Especially an operator may need to install a certificate for kernel module key signing into UEFI partition in case their system is configured with Secure Boot.
 
1) validate Linux kernel version
check Linux kernel version and current supported kernel version list of SEP Linux (Symantec Agent for Linux) web site.
 
For example, SEP Linux 14.3 RU8 is distributed as SAL 1.3. The current supported kernel version list is found at:
Then RHEL8 selection shows the following kernel is supported by KMOD version 10.0.6.2250.
 

# uname -r

4.18.0-513.24.1.el8_9.x86_64

 
If not found, most likely the reason is SEP Linux Kmod is not released yet. Broadcom conducts Bi-weekly releases of Linux Kmod to catch up with upstream kernel releases of OS vendors. Please contact Support or revisit the above URL frequently.
 
2) determine SELinux status
find out SELinux enforce mode from config file, and ensure current runtime matches the SELinux mode.
example, SELinux is enabled, permissive mode

# cat /etc/selinux/config | grep ^SELINUX=

SELINUX=permissive

# getenforce

Permissive

example, SELinux is disabled

# cat /etc/selinux/config | grep ^SELINUX=

SELINUX=disabled

# getenforce

 

Disabled


if the current SELinux state is unsure, or enable SELinux for the first time. reboot the system. SELinux is in a desired state, once the system is rebooted.
 
3) SEP Linux install or uninstall
install SEP Linux from Broadcom Symantec Agent for Linux repository.
make sure daemons are up and kernel modules are loaded.
 

# ./LinuxInstaller

 

Configuring Repo (linux-repo.us.securitycloud.symantec.com) ..

 

Symantec Agent for Linux

(snip.)

 

Daemon status:

cafagent running

sisamdagent running

sisidsagent running

sisipsagent running

 

Module status:

sisevt loaded

 

sisap loaded

 
or uninstall SEP Linux
 

# /usr/lib/symantec/uninstall.sh

 

Stopping Agent..

Uninstalling Symantec Agent for Linux

Symantec Endpoint Protection (SEPM) ...

 

Removing packages sdcss-caf sdcss sdcss-kmod sdcss-scripts

 
There is an extra operation or command that may be necessary (i.e. certificate installation into UEFI partition), it is prompted at the end of the installer script.
 
If you need an offline installation, SEP Linux Packager (seplpkg command) is available. It creates a custom SEP Linux installer (LinuxInstaller command) with stub installer.

https://linux-repo.us.securitycloud.symantec.com/seplpkg/index.html 

Powered by Wolken Software