How to exclude Cylance on SELinux

Latest response

Hello.

We have Cylance protect anti-virus software version 2.0.1530.706 running on a RHEL 7 server with SE Linux enforced.

The following entries are being written to /var/log/messages:

SELinux is preventing /usr/sbin/mdadm from getattr access on the file /dev/mqueue/com.cylance.cef.message_broker

SELinux is preventing /usr/sbin/mdadm from getattr access on the file /dev/mqueue/com.cylance.protect

Has anyone else running Cylance protect on RHEL 7 SE Linux encountered this, and if so, how did you resolve?

I'm guessing there's a way to exclude Cylance from being blocked by SE Linux but I'm unsure how to do it.

Add an entry to /etc/selinux/targeted/booleans perhaps?

Any help would be appreciated.

Thanks.

Tom

Responses

This is great to see! Well done for wishing to troubleshoot SELinux properly instead of just turning it off :)

Have a look at an RHCSA study guide, the section on SELinux troubleshooting shows how to use the sealeart and audit2allow commands to troubleshoot and resolve these sort of denials.

Here's someone's blog page which looks good. It shows you how to make sense of audit.log, how to identify existing booleans and tweak them (not what you want), and how to create your own modules based on existing denials (this is what you want).

Hello Jamie.

Thanks for the information - very helpful.

We used that blog post as a guide and ran the following command to implement a fix.

# cat /var/log/audit/audit.log | grep AVC | grep -i cylance | audit2allow


#============= mdadm_t ==============
allow mdadm_t tmpfs_t:file getattr;


# cat /var/log/audit/audit.log | grep AVC | grep -i cylance | audit2allow -m mdadmtmpfs

module mdadmtmpfs 1.0;

require {
        type tmpfs_t;
        type mdadm_t;
        class file getattr;
}

#============= mdadm_t ==============
allow mdadm_t tmpfs_t:file getattr;


# cat /var/log/audit/audit.log | grep AVC | grep -i cylance | audit2allow -M mdadmtmpfs
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mdadmtmpfs.pp


# semodule -i mdadmtmpfs.pp


# semodule -l | grep mdadmtmpfs
mdadmtmpfs      1.0

The SELinux is preventing... entries are being written to /var/log/messages every morning just after 3 AM so we're going to see if they reappear tomorrow or stop.

Thanks again.