Linux:SELinux Useful Tips: Difference between revisions

Revision as of 09:58, 17 February 2017

Create/Install a local SELinux policy module

Install the policycoreutils-python package if not already installed

[user@host ~]# yum install policycoreutils-python

Generate SELinux policy module from logs of denied operations

[user@host ~]# audit2allow -l -a -M <insert-policyname-here>.local

Install the policy module

[user@host ~]# semodule -i <insert-policyname-here>.local.pp

Update a local SELinux policy module with additional settings

Set SELinux to permissive mode

[user@host ~]# setenforce 0

Install the policycoreutils-python package if not already installed

[user@host ~]# yum install policycoreutils-python

Generate SELinux policy allow/dontaudit rules from logs of denied operations

[user@host ~]# audit2allow -l -a

Insert these new line(s) into the following policy

Dont forget to insert the class(es)/type(s) and always increment the module version (!)

[user@host ~]# vim /etc/selinux/<insert-policyname-here>.local.te

Compile & update the module

[user@host ~]# cd /etc/selinux/
[user@host selinux]# export POLICYNAME=<insert-policyname-here>.local \
> && checkmodule -M -m -o ${POLICYNAME}.mod ${POLICYNAME}.te \
> && semodule_package -o ${POLICYNAME}.pp -m ${POLICYNAME}.mod \
> && semodule -u ${POLICYNAME}.pp

Check the SELinux logs once again

[user@host ~]# audit2allow -l -a

If everything went smooth set SELinux to enforcing again

setenforce 1

@@ Line 1: / Line 1: @@
+== Create/Install a local SELinux policy module ==
+* Install the policycoreutils-python package if not already installed
+ [user@host ~]# yum install policycoreutils-python
+* Generate SELinux policy module from logs of denied operations
+ [user@host ~]# audit2allow -l -a -M <insert-policyname-here>.local
+* Install the policy module
+ [user@host ~]# semodule -i <insert-policyname-here>.local.pp
 == Update a local SELinux policy module with additional settings ==
 * Set SELinux to permissive mode