View Issue Details

IDProjectCategoryView StatusLast Update
0018506CentOS-7selinux-policypublic2022-09-08 21:43
Reporterdeep1209 Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionno change required 
OS Version7 
Summary0018506: SELinux is preventing /opt/sentinelone/bin/sentinelone-agent from 'prog_load' accesses on the bpf labeled unconfined_service_t.
DescriptionDescription of problem:
I am installing SentinelOne agent on this centOS VM. After registration of the Agent. I am trying to control start the SentinelOne Agent and this happens.
SELinux is preventing /opt/sentinelone/bin/sentinelone-agent from 'prog_load' accesses on the bpf labeled unconfined_service_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that sentinelone-agent should be allowed prog_load access on bpf labeled unconfined_service_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 's1-perf' --raw | audit2allow -M my-s1perf
# semodule -i my-s1perf.pp

Additional Information:
Source Context system_u:system_r:unconfined_service_t:s0
Target Context system_u:system_r:unconfined_service_t:s0
Target Objects Unknown [ bpf ]
Source s1-perf
Source Path /opt/sentinelone/bin/sentinelone-agent
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-268.el7_9.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-1160.62.1.el7.x86_64 #1 SMP
                              Tue Apr 5 16:57:59 UTC 2022 x86_64 x86_64
Alert Count 18
First Seen 2022-09-08 15:29:11 EDT
Last Seen 2022-09-08 15:29:16 EDT
Local ID 9d5ca5da-2c20-4b94-bc07-f9cab8f182ee

Raw Audit Messages
type=AVC msg=audit(1662665356.343:1273): avc: denied { prog_load } for pid=19197 comm="s1-perf" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=bpf permissive=0

Hash: s1-perf,unconfined_service_t,unconfined_service_t,bpf,prog_load

Version-Release number of selected component:
Additional Informationreporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-1160.62.1.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.




2022-09-08 21:43

manager   ~0038985

CentOS does not ship anything located below /opt so it is not the distro fault if applications landed over there end up with incorrect permissions. If a filesystem relabel does not fix your issue, you can either analyze relabel manually the content of the /opt/sentinelone and assign a selinux context that no longer generates the error or you could follow the instructions that were automatically generated for you and create a custom policy. Or you can contact whoever created the sentinel-one package and ask them to do a proper labeling after install.

Issue History

Date Modified Username Field Change
2022-09-08 19:44 deep1209 New Issue
2022-09-08 21:43 ManuelWolfshant Status new => closed
2022-09-08 21:43 ManuelWolfshant Resolution open => no change required
2022-09-08 21:43 ManuelWolfshant Note Added: 0038985