SELinux policy on /tmp/pritunl_

andy · January 24, 2024, 8:08pm

We’re running Pritunl on Oracle Linux 8. Our host IDS (wazuh) throwing an alarm for the pritunl directory in /tmp. It looks like it has something to do with an SELinux policy.

Here’s what we’re getting from the IDS:
Anomaly detected in file '/tmp/pritunl_7d884ce22aad4b2bbb2c1ae1cc1b7a93'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.

when I list /tmp with sudo ls -l /tmp I get this:

ls: cannot access '/tmp/pritunl_7d884ce22aad4b2bbb2c1ae1cc1b7a93': Permission denied
total 4
d?????????? ? ?        ?           ?            ? pritunl_7d884ce22aad4b2bbb2c1ae1cc1b7a93

Is there any modification I can make to an SELinux policy to squash the IDS alarm while keeping things secure?

zach · January 30, 2024, 4:47pm

You would need to disable SElinux. Pritunl modifies the tmp files SElinux context to block access from any other process, this protects the keys stored in this directory.

andy · January 30, 2024, 6:34pm

I’d like to avoid disabling SELinux.

What are the keys that are stored in /tmp used for? Can I configure a different directory to be used?

zach · January 30, 2024, 7:29pm

There is an option in the configuration file to change the directory but this would likely prevent the Pritunl process from access the files.