Configure the SELinux Policy for PowerShell Integrations

Change the SELinux Policy when running Powershell Integrations in Cortex XSOAR. SELinux policy for Podman.
The SELinux Policy is a set of rules that guides the SELinux security engine, and defines types for file objects and domains for processes. When running in rootless mode, the default SELinux policy used by Podman may affect processes that
mmap
/dev/zero
, which may affect running PowerShell integrations.
PowerShell integrations
mmap
/dev/zero
as part of the .NET Core PInvoke capabilities.
To see whether PowerShell integrations can run in Cortex XSOAR, type the following command:
!pwsh script="$demisto.results('ok')"
If the SELinux policy blocks the mapping of
/dev/zero
an error is issued about
OutOfMemoryException
. For example, in the playground, you can see the error:
You need to configure the policy module and then reset the containers. If you use engines with Podman, you need to apply the policy configuration on each engine machine.
PowerShell integrations use an internal socket which may be blocked by SELinux depending upon the container-selinux version installed. It is recommended to use version 2.144.0 or higher for the container-selinux. To upgrade to the latest container-selinux run the
sudo yum update container-selinux
command.
  1. Fix the SELinux policy by installing the SELinux policy module.
    1. In the Cortex SXOAR Server, create the following file:
      podman_rootless.te
    2. Add the following content:
      module podman_rootless 1.0; require { type zero_device_t; type container_t; class chr_file execute; } #============= container_t ============== allow container_t zero_device_t:chr_file execute;
    3. After running a PowerShell integration in Cortex XSOAR, generate the SELinux policy using the
      audit2allow
      tool by running the following command:
      sudo grep pwsh /var/log/audit/audit.log | audit2allow -m podman_rootless
    4. Compile the policy module by running the following commands:
      • checkmodule -M -m -o podman_rootless.mod podman_rootless.te
      • semodule_package -o podman_rootless.pp -m podman_rootless.mod
    5. Install the policy module by running the following command:
      sudo semodule -i podman_rootless.pp
  2. Reset the containers in Cortex XSOAR, by running the following command:
    /reset_containers
  3. Test the PowerShell script by running the following command:
    !pwsh script="$demisto.results('ok')"

Recommended For You