This article provides steps to build an SELinux custom RPM package with McAfee Agent. The package contains an SELinux policy, so that the McAfee Agent process can read, write, and execute in a custom folder path.  

IMPORTANT:

• This package can't be deployed through ePO. You need to follow the manual installation steps below. 
• This package isn’t a managed agent. You must have a managed agent on version 5.7.x already installed and managed by ePO.

1. Download McAfeeAgent-selinux-5.7.x-ReleasePackages.tar.gz from the Product Downloads site.
2. Copy the package to a location on your Linux system and extract the package using the command below:
   
   [root@root selinux]# tar -xvf McAfeeAgent-selinux-5.7.0-ReleasePackages.tar.gz
   
   Extracted Packages:

 

3. Locate the folder where the above files were extracted to. Use the commands below:
   
   [root@root selinux]# cd McAfeeAgent-selinux-5.7.0-ReleasePackages/
   
   [root@root McAfeeAgent-selinux-5.7.0-ReleasePackages]# ls -lsa
   
   Screen Output Example

 

3. Run the command below to install the package:
   
   rpm -ivh MFEma-selinux-5.7.xx.src.rpm
   
   Example:
   [root@root McAfeeAgent-selinux-5.7.0]# rpm -ivh MFEma-selinux-5.7.0-1.src.rpm
   
   Screen Output Example:

 

4. Execute the command below to move to the SOURCES folder.
   
   pushd ${HOME}/rpmbuild/SOURCES
   
   NOTE: rpmbuild must be installed on the Linux system.
    
5. Confirm the files from the rpm command exist
   
   [root@root SOURCES]# ls -lsa
   
   ​Screen Output Example

6. Define the context type in the gen_require function section in the mfe_ma.te file using a VI editor.
   
   NOTE: mfe_ma.te is located in ${HOME}/rpmbuild/SOURCES.
   
   Example:
   
   Before defining:

7. Add the lines below to the end of the file using a VI editor (press Shift+G):
   
   allow mfe_ma_masvc_t root_t:dir { manage_dir_perms };
   allow mfe_ma_masvc_t root_t:file { manage_file_perms };
   allow mfe_ma_macmnsvc_t root_t:dir { manage_dir_perms };
   allow mfe_ma_macmnsvc_t root_t:file { manage_file_perms };
    
8. Exit the VI editor (press the Esc key and the colon  key :), and save the file.
9. Type the command below if you aren’t in the /rpmbuild/SOURCES folder:
   
   cd ${HOME}/rpmbuild/SOURCES
    
10. Run the make command below. It places the targeted policy files in the selinux-* folder within /rpmbuild/SOURCES.
    
    [root@root SOURCES]# make

11. Execute the commands below sequentially:
    
    mkdir -p ${HOME}/rpmbuild/SOURCES/MFEma-selinux
    
    cp -f license.txt ${HOME}/rpmbuild/SOURCES/MFEma-selinux
    
    pushd selinux-*
    
    cp -f mfe_ma*targeted ${HOME}/rpmbuild/SOURCES/MFEma-selinux
    
    pushd ${HOME}/rpmbuild/SPECS
    
    rpmbuild --define 'pkg_version <version-num>' --define '_src 1' -ba MFEma-selinux.spec
    
    NOTE: Where <version-um> equals a number higher than the version of the rpm package.
    
    Example:
    
    [root@root SOURCES]#rpmbuild --define 'pkg_version 2' --define '_src 1' -ba MFEma-selinux.spec
    
    NOTE: The above rpmbuild command creates a custom RPM package with MA version 5.7.0 inside ${HOME}/rpmbuild/RPMS/noarch/.
    
    Example:

 

12. Update the MA SELinux using the command below:
    
    rpm -uvh MFEma-selinux-5.7.0-2.noarch.rpm
    
    For more details, see ${HOME}/rpmbuild/SOURCES/README.md.