Directly contact our Support Team

Make the SELinux module compatible with On-Access scanning in BEST Linux

This article describes how to make the SELinux module compatible with On-Access scanning in Bitdefender Endpoint Security Tools (BEST) for Linux.

Should you require more information on configuring SELinux than provided in this article, please refer to your Linux distribution documentation.

Issue

Security-Enhanced Linux (SELinux) is a kernel module that provides a mechanism for supporting access control security policies. This mechanism interferes with the Antimalware module of BEST for Linux so that On-Access Scanning does not properly function when the SELinux policies are set to Enforcing.

Solution

To overcome this issue, you need to change the SELinux policies to Permissive or Disabled (recommended). This is how you make SELinux compatible with On-Access Scanning:

  1. Check the status of SELinux on the endpoint, by running the following command:
    sudo sestatus

    If the SELinux Current mode is set to Enforcing, you need to change it to Permissive or Disabled (recommended).

  2. To change the SELinux policy status:
    1. Edit the configuration file with the text editor of your choice (such as
    2. On Red Hat based systems (RHEL, CentOS, Fedora, SuSE), the configuration file is /etc/sysconfig/selinux.
    3. On Ubuntu / Debian based systems, the configuration file is /etc/selinux/config.
      note Note:
      If you cannot find the SELinux configuration file on your system, please consult the documentation of your Linux distribution.

      Example:

      # nano /etc/sysconfig/selinux
    4. Edit the line starting with SELINUX= as follows:
      • For Permissive mode:
        SELINUX=permissive
        
      • For Disabled mode:
        SELINUX=disabled
        
    5. Save the file.

      If you use nano to edit the configuration, to save the file and exit, use the following sequence: Ctrl+O, Enter, Ctrl+X.

    6. Reboot the endpoint.
    7. After reboot, check the SELinux status by running the command again:
      sudo sestatus

      The output should be permissive or disabled.

    8. Check the Antimalware module status with the following command:
      # /opt/BitDefender/bin/bduitool get ps | grep Antimalware

      The Antimalware module status should be On (active).

      If the Antimalware module is Off, although SELinux is properly configured, refer to this KB article for trobleshooting Bitdefender Endpoint Security Tools for Linux.


Rate this article:

Submit