Linux:SELinux Useful Tips: Difference between revisions
Created page with "== Update a local SELinux policy module with additional settings == * Set SELinux to permissive mode [user@host ~]# setenforce 0 * Install the policycoreutils-python package..." |
mNo edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Create/Install a local SELinux policy module == | |||
* Install the policycoreutils-python package if not already installed | |||
[user@host ~]# yum install policycoreutils-python | |||
* Generate SELinux policy module from logs of denied operations | |||
[user@host ~]# audit2allow -l -a -M <insert-policyname-here>.local | |||
* Install the policy module | |||
[user@host ~]# semodule -i <insert-policyname-here>.local.pp | |||
== Update a local SELinux policy module with additional settings == | == Update a local SELinux policy module with additional settings == | ||
* Set SELinux to permissive mode | * Set SELinux to permissive mode | ||
| Line 12: | Line 20: | ||
[user@host ~]# cd /etc/selinux/ | [user@host ~]# cd /etc/selinux/ | ||
[user@host selinux]# export POLICYNAME=<insert-policyname-here>.local \ | [user@host selinux]# export POLICYNAME=<insert-policyname-here>.local \ | ||
&& checkmodule -M -m -o ${POLICYNAME}.mod ${POLICYNAME}.te \ | |||
&& semodule_package -o ${POLICYNAME}.pp -m ${POLICYNAME}.mod \ | |||
&& semodule -u ${POLICYNAME}.pp | |||
* Check the SELinux logs once again | * Check the SELinux logs once again | ||
[user@host ~]# audit2allow -l -a | [user@host ~]# audit2allow -l -a | ||
* If everything went smooth set SELinux to enforcing again | * If everything went smooth set SELinux to enforcing again | ||
setenforce 1 | setenforce 1 | ||
Latest revision as of 12:40, 8 March 2017
Create/Install a local SELinux policy module[edit]
- Install the policycoreutils-python package if not already installed
[user@host ~]# yum install policycoreutils-python
- Generate SELinux policy module from logs of denied operations
[user@host ~]# audit2allow -l -a -M <insert-policyname-here>.local
- Install the policy module
[user@host ~]# semodule -i <insert-policyname-here>.local.pp
Update a local SELinux policy module with additional settings[edit]
- Set SELinux to permissive mode
[user@host ~]# setenforce 0
- Install the policycoreutils-python package if not already installed
[user@host ~]# yum install policycoreutils-python
- Generate SELinux policy allow/dontaudit rules from logs of denied operations
[user@host ~]# audit2allow -l -a
- Insert these new line(s) into the following policy
Dont forget to insert the class(es)/type(s) and always increment the module version (!)
[user@host ~]# vim /etc/selinux/<insert-policyname-here>.local.te
- Compile & update the module
[user@host ~]# cd /etc/selinux/
[user@host selinux]# export POLICYNAME=<insert-policyname-here>.local \
&& checkmodule -M -m -o ${POLICYNAME}.mod ${POLICYNAME}.te \
&& semodule_package -o ${POLICYNAME}.pp -m ${POLICYNAME}.mod \
&& semodule -u ${POLICYNAME}.pp
- Check the SELinux logs once again
[user@host ~]# audit2allow -l -a
- If everything went smooth set SELinux to enforcing again
setenforce 1