Linux:SELinux Useful Tips: Difference between revisions

Create/Install a local SELinux policy module[edit]

• Install the policycoreutils-python package if not already installed

[user@host ~]# yum install policycoreutils-python

• Generate SELinux policy module from logs of denied operations

[user@host ~]# audit2allow -l -a -M <insert-policyname-here>.local

• Install the policy module

[user@host ~]# semodule -i <insert-policyname-here>.local.pp

Update a local SELinux policy module with additional settings[edit]

• Set SELinux to permissive mode

[user@host ~]# setenforce 0

• Install the policycoreutils-python package if not already installed

[user@host ~]# yum install policycoreutils-python

• Generate SELinux policy allow/dontaudit rules from logs of denied operations

[user@host ~]# audit2allow -l -a

• Insert these new line(s) into the following policy

Dont forget to insert the class(es)/type(s) and always increment the module version (!)

[user@host ~]# vim /etc/selinux/<insert-policyname-here>.local.te

• Compile & update the module

[user@host ~]# cd /etc/selinux/
[user@host selinux]# export POLICYNAME=<insert-policyname-here>.local \
&& checkmodule -M -m -o ${POLICYNAME}.mod ${POLICYNAME}.te \
&& semodule_package -o ${POLICYNAME}.pp -m ${POLICYNAME}.mod \
&& semodule -u ${POLICYNAME}.pp

• Check the SELinux logs once again

[user@host ~]# audit2allow -l -a

• If everything went smooth set SELinux to enforcing again

setenforce 1