Kaspersky Standard | Plus | Premium
Linux
English
How to install and configure the application  >  Configuring allowing rules in the SELinux system

Configuring allowing rules in the SELinux system

Manually configuring SELinux for working with the application

If SELinux could not be configured automatically during the initial configuration of the application, or if you declined automatic configuration, you can manually configure SELinux to work with the Kaspersky application.

To manually configure SELinux to work with the application:

  1. Switch SELinux to permissive mode:
    • If SELinux has been activated, run the following command:

      # setenforce Permissive

    • If SELinux was disabled, set the SELINUX=permissive setting in the configuration file / etc / selinux / config and restart the operating system.
  2. Make sure the semanage utility is installed on the system. If the utility is not installed, install the policycoreutils-python or policycoreutils-python-utils package, depending on the package manager.
  3. If you are using a custom SELinux policy instead of the default targeted policy, assign a label to each source executable file of the Kaspersky application in accordance with the SELinux policy being used; to do so, run the following commands:

    # semanage fcontext -a -t bin_t <executable file>

    # restorecon -v <executable file>

    where <executable file> is:

    • /var/opt/kaspersky/kfl/2.0.0.<build number>_<installation timestamp>/opt/kaspersky/kfl/libexec/kfl
    • /var/opt/kaspersky/kfl/2.0.0.<build number>_<installation timestamp>/opt/kaspersky/kfl/bin/kfl-control
    • /var/opt/kaspersky/kfl/2.0.0.<build number>_<installation timestamp>/opt/kaspersky/kfl/libexec/kfl-gui
    • /var/opt/kaspersky/kfl/2.0.0.<build number>_<installation timestamp>/opt/kaspersky/kfl/shared/kfl
  4. Run the following tasks:
    • File Threat Protection task:

      kfl-control --start-task 1

    • Critical Areas Scan task:

      kfl-control --start-task 4 -W

    We recommend running all the tasks that you plan to run while using the Kaspersky application.

  5. Launch the application interface.
  6. Ensure that there are no errors in the audit.log file:

    # grep kfl /var/log/audit/audit.log

  7. If there are errors in the audit.log file, create and download a new rule module based on blocking records in order to fix the errors, and then re-run all the tasks that you plan to run while using the Kaspersky application; to do so, run the following commands:

    # grep kfl /var/log/audit/audit.log | audit2allow -M kfl

    # semodule -i kfl.pp

    If new audit messages related to the Kaspersky application appear, the rule module file must be updated.

  8. Switch SELinux to blocking mode:

    # setenforce Enforcing

If you use a custom SELinux policy, manually assign a label to the original executable files of the Kaspersky application after installing application updates (follow steps 1, 3–8).

For additional information, please refer to the documentation on the relevant operating system.

Article ID: 284340, Last review: Apr 9, 2025
Page top