Configuring SELinux to work with the SEP Linux Client

Products

Endpoint Security Complete

Issue/Introduction

SELinux is blocking the SEP Linux client from running properly after install

Cause

SELinux is set to enforce mode and blocks the drivers/daemons from installing or starting up

Resolution

Prerequisites: a privileged account (root), tty console is strongly recommended, not pty (i.e. ssh session). An operator may need to install a certificate for kernel module key signing into UEFI partition in case their system is configured with Secure Boot

1) Validate Linux Kernel Version

Check Linux kernel version and current supported kernel version list of SEP Linux (Symantec Agent for Linux) web site.

For example, SEP Linux 14.3 RU8 is distributed as SAL 1.3. The current supported kernel version list is found at:

https://linux-repo.us.securitycloud.symantec.com/SAL/1.3/seplinux_supported_kernels.html

Then RHEL8 selection shows the following kernel is supported by KMOD version 10.0.6.2250.

# uname -r
4.18.0-513.24.1.el8_9.x86_64

If not found, the most likely reason is SEP Linux KMOD is not released yet. Broadcom conducts Bi-weekly releases of Linux Kmod to catch up with upstream kernel releases of OS vendors. Please contact Support or revisit the above URL frequently

2) Determine SELinux Status

Find out if SELinux is in enforce mode from config file, and ensure current runtime matches the SELinux mode

example: SELinux is enabled, permissive mode

# cat /etc/selinux/config | grep ^SELINUX=SELINUX=permissive

# getenforce
Permissive

example: SELinux is disabled

# cat /etc/selinux/config | grep ^SELINUX=
SELINUX=disabled
# getenforce

Disabled

**If the current SELinux state is unsure, or if SELinux was enabled for the first time, reboot the system. SELinux will be in the desired state once the system is rebooted

3) Disable SELinux(or set to permissive) for the client install

4) install SEP Linux client/agent(or uninstall (see below) then re-install it if SELinux was set to enforce)

5) Reboot the client machine after install

6) Check the status of the daemons/drivers:

# ./LinuxInstaller

Configuring Repo (linux-repo.us.securitycloud.symantec.com) ..

Symantec Agent for Linux

(snip.)

Daemon status:
cafagent running
sisamdagent running
sisidsagent running
sisipsagent running

Module status:

sisevt loaded
sisap loaded

**To uninstall SEP Linux

# /usr/lib/symantec/uninstall.sh

Stopping Agent..
Uninstalling Symantec Agent for Linux
Symantec Endpoint Protection (SEPM) ...
Removing packages sdcss-caf sdcss sdcss-kmod sdcss-scripts

There is an extra operation or command that may be necessary (i.e. certificate installation into UEFI partition), it is prompted at the end of the installer script

If you need an offline installation, SEP Linux Packager (seplpkg command) is available. It creates a custom SEP Linux installer (LinuxInstaller command) with stub installer.

https://linux-repo.us.securitycloud.symantec.com/seplpkg/index.html