User Guides
CTE-U Quick Start Guide
- Terminology and Components
- Install and Configure CTE-U with CipherTrust Manager
  - Installation Prerequisites
  - Installation and Registration
  - Verifying Package Signatures
  - Setting the SE Linux state
- Guarding with CTE-U and CipherTrust Manager
  - Access the CipherTrust Manager Domain
  - Create an Encryption Key
  - Guarding CTE files with CTE-U
- Exporting GuardPoints over NFS
- Migrating CTE Agents to CTE-U
- Multifactor Authentication for CTE-U
  - Introduction to Multifactor Authentication
  - Using CTE-U with Multi-factor Authentication
  - Use Cases for MFA on CTE
  - Exempting some users from authentication with a Whitelist
  - Setting up Multifactor Authentication with a One-Time-Password
  - Setting up Multifactor Authentication with an Inactivity Time Out
  - Administrator Tasks for Multifactor Authentication
  - Troubleshooting Multifactor Authentication
- Phased migration from CTE-U 9.x to CTE-U 10.x
CTE-U Health Manager Utility
- Performing Health Check
- Using the Monitor
- Service Commands
- Viewing the Service Status
- Gathering the Technical Dump Information
- Troubleshooting/ Debugging CTE-U
CTE-U Advanced Configuration Guide for Linux
- Getting Started with CTE for Linux
  - Silent Installation for CTE or CTE-U on Linux
  - Using external certificates for communication between CTE Agent and CipherTrust Manager
  - Configuring CTE-U with CipherTrust Manager
- Logging
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Concise Logging
- CTE-U Overview
- Special Cases for CTE-U Policies
  - Re-Enabling Automatic Signing for Host Settings
  - Restricting Access Overrides from Unauthorized Identities
  - Blocking ptrace system calls to prevent process injection attacks
- Enhanced Encryption Mode
  - Disk Space
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - File Systems Compatibility
- CTE with systemd
  - CTE Agent Control Changes on systemd
  - CTE Agent Control Changes on systemd
  - Adding Applications to the secfs-fuse.service File
  - Adding Dependencies to systemd Unit Configuration Files
- Utilities
  - CTE-U Linux Authentication and Client Settings
  - Individual GuardPoint Tuning
  - Agent Health Utility
  - Secfsd Utility
    - secfsd Examples
    - Secfsd Raw and Block Devices
  - agentinfo Utility (Java version)
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - Voradmin Utility
  - Restricting Access Overrides with Client Settings
  - register_host Utility
  - Using Advanced Encryption Set New Instructions (AES-NI)
  - vmd utility
  - vmsec Utility
- Upgrading CTE-U on Linux
- Uninstalling CTE-U from Linux
Using FreeBSD with CTE-U
- FreeBSD Jail
- Install CTE-U Dependencies
- FreeBSD Services
- Upgrade CTE-U Packages
- Remove CTE-U Packages
- Unsupported Features for CTE-U with FreeBSD

Setting the SE Linux state

When installing CTE-U on SE (Security Enhanced) Linux with RHEL 9.1, you must set the SE Linux state. SELINUX can be set to any of the following three states:

Enforcing: SELinux security policy is enforced.
Permissive: SELinux prints warnings, but does not enforce the security policy.
Disabled: No SELinux policy is loaded.

Installing CTE-U and Setting the SE Linux State

Check if SE Linux is in enforcing mode with the command sestatus.

[root@localhost ~] sestatus

Response

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33

If it is in enforcing mode, set the state to permissive for installation, type:
```
[root@localhost ~] setenforce 0
```
Install CTE-U and register the client to CipherTrust Manager.

Run the following commands, in succession, to add the SELinux policy for CTE-U.

grep -i "comm=\"secfs_fuse\"" /var/log/audit/audit.log | audit2allow -M secfs_fuse
semodule -i secfs_fuse.pp

grep -i "comm=\"vmd\"" /var/log/audit/audit.log | audit2allow -M vmdpolicy
semodule -i vmdpolicy.pp

Restart the SecFS_fuse service and check the logs for any AVC denials in /var/log/messages.

A denial for setattr is expected after adding a policy for vmd. If you see the message "SELinux is preventing" to any of the processes "secfs_fuse, vmd". Then execute the command mentioned in step 4 again.
Change the SE Linux status to enforcing once there are no more denials, type:
```
setenforce 1
```
Note

For more information, see Setting SELinux states and modes.

Setting the SE Linux Policy Type

The SELINUX TYPE will be one of the following three values:

Targeted: Targeted processes are protected
Minimum: Modification of targeted policy. Only selected processes are protected.
MLS: Multi Level Security protection.

The following file controls the state of SELinux on the system.

    /etc/selinux/config

Edit the /etc/selinux/config file to set the SE LINUX TYPE parameter to SELINUXTYPE=targeted.

Disabling SE Linux

In earlier Fedora kernel builds, setting SELINUX to disabled would also fully disable SELinux during the boot stage. If you need a system with SELinux fully disabled, as opposed to a system with SELinux running with no policy loaded, you need to set selinux=0 in the kernel command line. Use the Grubby CLI tool.

To set the bootloader to boot with SE Linux disabled, type:

    grubby --update-kernel ALL --args selinux=0

To revert back to SELinux enabled, type:

    grubby --update-kernel ALL --remove-args selinux

Suggest A Change

Setting the SE Linux state

Installing CTE-U and Setting the SE Linux State

Setting the SE Linux Policy Type

Disabling SE Linux

On this page