How do you Manual Compile Fedora 27/28/29 Talpa?

I have been working on scripting installs of Sophos AV on Linux hosts. I have no issues with the supported platforms, but we have some Debian, some Scientific Linux, and some Fedora.

I was able to figure out what was needed on SciLinux, and Debian to get the Talpa to compile with the standard installer script from Sophos, but I can not get the same to work on any of the currently stable Fedora builds.

 

I found the sophos talpa source in gethub, and have gotten it to compile the binary packages. I can run /opt/sophos-av/engine/talpa_select select and it will look like its working, but no matter what I do afterwards, the real time scan engine does not start.


Current Output from Talpa Select:

[root@ITRS-505687645a engine]# ./talpa_select select
[Talpa-select]
Copyright 1989-2018 Sophos Limited. All rights reserved.
Fri Jan 11 15:26:25 2019 GMT
Linux distribution: [fedora]
Product: [Fedora release 29 (Twenty Nine)]
Kernel: [4.19.13-300.fc29.x86_64]
Multiprocessor support enabled.
Searching for source pack...
Searching for suitable binary pack...
Binary pack was created locally.
Found suitable binary pack. Using: /opt/sophos-av/talpa/compiled/talpa-binpack-fedora-x86_64-4.19.13-300.fc29.x86_64-1smpsatdec29225428utc2018.tar.gz

I have tried to reboot, which does not enable the on-access scanning.

I have tried to run /opt/sophos-av/bin/savdctl enable, which does not enable the on-access scanning.

No matter which I do, whenever I run /opt/sophos-av/bin/savdstatus:

[root@ITRS-505687645a talpa]# /opt/sophos-av/bin/savdstatus
Sophos Anti-Virus is active but on-access scanning is not running

 

When looking into the logs, this appears to be the pertinent bit of information:

Fri 11 Jan 2019 07:46:01 AM CST: update.updated Updated to versions - SAV: 10.4.1, Engine: 3.74.2, Data: 5.58
Fri 11 Jan 2019 07:46:01 AM CST: update.updated Successfully updated Sophos Anti-Virus from sdds:SOPHOS
Fri 11 Jan 2019 07:46:41 AM CST: talpa.startup Unable to load Talpa modules.
Fri 11 Jan 2019 08:45:51 AM CST: update.check Successfully updated Sophos Anti-Virus from sdds:SOPHOS
Fri 11 Jan 2019 08:50:29 AM CST: talpa_select.compiled NOTE: You are running Sophos Anti-Virus on a kernel for which Sophos does not provide binary kernel modules. Therefore the kernel modules have been locally compiled. Please see KBA14377 for supported platforms and kernels.
Fri 11 Jan 2019 08:50:32 AM CST: talpa_select Failed to load module talpa_syscallhook
insmod: ERROR: could not insert module /opt/sophos-av/talpa/current/talpa_syscallhook.ko: Permission denied

Fri 11 Jan 2019 08:50:32 AM CST: talpa.startup Unable to load Talpa modules.

 

Any help here would be useful. I feel like I am REALLY close to getting this running, but so far no luck.

  • Hey  

    Thanks for reaching out and my apologies regarding this inconvenience.

    I'd advise to please raise a support case for this and provide me with your case ID so I can follow up accordingly.

    For reference:

    Thanks,

  • In reply to FloSupport:

    I tried a ticket submitted by one of our Security Staff here, the reply from Sophos was as follows:

    "Thank you for contacting Sophos Technical Support!

    In regards to your query, Fedora Linux is not a supported distribution for Sophos AV. The following KB below will go over what distributions are supported:​"

    And then they replied with the same KB articles you just posted in your reply.

    We tried Fanotify, which also did not work, we tried Talpa compile, and that didn't work at first, but the GITHUB version seems to compile as it has recent patches in it for the 4.18+ Kernels, but that won't launch or load.

  • In reply to Greg Smith:

    So, the TALPA modules work, but only if you disable SELINUX on Fedora. You want to help me out with the step I am obviously missing?

  • In reply to Greg Smith:

    Hi Greg,

    I've reached out to our team for this, and will reply back with any response I receive.

    Regards,

  • In reply to FloSupport:

    Hi, 

    I'm facing the same issue when trying to compile Fedora 29 Talpa modules. (kernel 4.19.15-300.fc29.x86_64)

    The build error I get:

    Building...
    Traceback (most recent call last):
    File "talpa_select.py", line 2035, in _action
    File "talpa_select.py", line 898, in load
    File "talpa_select.py", line 664, in select
    File "talpa_select.py", line 1555, in select
    File "talpa_select.py", line 1639, in build
    File "talpa_select.py", line 1792, in __try_build
    SelectException: exc-build-failed

    Has this something to do with Python3?

    Disabling SElinux doesn't solve the problem.

    Kind regards,
    GT

  • In reply to burn:

    Hello,

    perhaps has some advice.

    Christian

  • In reply to QC:

    The most obvious question: are you using github talpa, via the autodeploy.sh - https://gist.github.com/paperclip/7892031

     

    The version of Talpa that is included with Sophos Anti-Virus for Linux doesn't support Kernel 4.19.

     

    If you are using the github version of Talpa, then the build.log file should give more information about what has failed to build.

  • In reply to Greg Smith:

    Hi Greg,

     

    Looking at https://bugzilla.redhat.com/show_bug.cgi?id=1426741

    It looks like selinux enforcing mode may prevent some module loading. I'm afraid, since Fedora isn't on our supported list, we can't look into this in any more detail, but it might be possible for you to create rules to allow talpa_select to load kernel modules.

    As a first step it might be worth checking the selinux logs to see what is getting blocked.

    Thanks,

    Douglas.

  • In reply to DouglasLeeder:

    I can confirm, if you use the github version of Talpa, it will compile on Fedora, BUT, it will not load the kernel modules as the newest profiles in SELinux do not allow the loading.

     

    After you have compiled the module from github (https://github.com/sophos/talpa), and have tried to turn on the on-access scanning (# /opt/sophos-av/bin/savdctl enable), do the following:

     **** WARNING -- This is what I did on Fedora 27, 28, 29. It might not work on your system -- WARNING ****

    This will look at your SELinux Audit logs parsing it for recent insmod failures and build the policy info to add to the default targeted policy.

    # ausearch -c insmod -r | audit2allow -M talpainsmod -p /etc/selinux/targeted/policy/policy.31

      

    Once you have that new policy file, you need to add it to existing policy on the system.

    # semodule - talpainsmod.pp

     

    Then you just need to reboot the system and the talpa modules compiled before from Github should compile and allow Sophos to run.