Change the SELinux Policy when running Powershell Integrations in Cortex XSOAR.
The SELinux Policy is a set of rules that guides the SELinux security engine, and defines types for file objects and domains for processes. When running in rootless mode, the default SELinux policy used by Podman may affect processes that mmap /dev/zero
, which may affect running PowerShell integrations.
PowerShell integrations mmap /dev/zero
as part of the .NET Core PInvoke capabilities.
To see whether PowerShell integrations can run in Cortex XSOAR, type the following command:
!pwsh script="$demisto.results('ok')"
If the SELinux policy blocks the mapping of /dev/zero
an error is issued about OutOfMemoryException
. For example, in the playground, you can see the error:
You need to configure the policy module and then reset the containers. If you use engines with Podman, you need to apply the policy configuration on each engine machine.
Note
PowerShell integrations use an internal socket which may be blocked by SELinux depending upon the container-selinux version installed. It is recommended to use version 2.144.0 or higher for the container-selinux. To upgrade to the latest container-selinux run the sudo yum update container-selinux
command.
Fix the SELinux policy by installing the SELinux policy module.
In the Cortex XSOAR Server, create the following file:
podman_rootless.te
Add the following content:
module podman_rootless 1.0; require { type zero_device_t; type container_t; class chr_file execute; } #============= container_t ============== allow container_t zero_device_t:chr_file execute;
After running a PowerShell integration in Cortex XSOAR, generate the SELinux policy using the
audit2allow
tool by running the following command:sudo grep pwsh /var/log/audit/audit.log | audit2allow -m podman_rootless
Compile the policy module by running the following commands:
checkmodule -M -m -o podman_rootless.mod podman_rootless.te
semodule_package -o podman_rootless.pp -m podman_rootless.mod
Install the policy module by running the following command:
sudo semodule -i podman_rootless.pp
Add server configurations and reset the containers in Cortex XSOAR.
Configure label confinement to allow Python and PowerShell containers to access other script folders.
In Cortex XSOAR
→ → , set the following parameters:For Python containers, set python.pass.extra.keys to
--security-opt=label=level:s0:c100,c200
For PowerShell containers, set powershell.pass.extra.keys to
--security-opt=label=level:s0:c100,c200
In the Cortex XSOAR CLI, run the
/reset_containers
command.
Test the PowerShell script by running the following command:
!pwsh script="$demisto.results('ok')"