Linux:SELinux Useful Tips

From queowiki
Revision as of 09:51, 17 February 2017 by Queo (talk | contribs) (Created page with "== Update a local SELinux policy module with additional settings == * Set SELinux to permissive mode [user@host ~]# setenforce 0 * Install the policycoreutils-python package...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Update a local SELinux policy module with additional settings

  • Set SELinux to permissive mode
[user@host ~]# setenforce 0
  • Install the policycoreutils-python package if not already installed
[user@host ~]# yum install policycoreutils-python
  • Generate SELinux policy allow/dontaudit rules from logs of denied operations
[user@host ~]# audit2allow -l -a
  • Insert these new line(s) into the following policy

Dont forget to insert the class(es)/type(s) and always increment the module version (!) 

[user@host ~]# vim /etc/selinux/<insert-policyname-here>.local.te
  • Compile & update the module
[user@host ~]# cd /etc/selinux/
[user@host selinux]# export POLICYNAME=<insert-policyname-here>.local \
> && checkmodule -M -m -o ${POLICYNAME}.mod ${POLICYNAME}.te \
> && semodule_package -o ${POLICYNAME}.pp -m ${POLICYNAME}.mod \
> && semodule -u ${POLICYNAME}.pp
  • Check the SELinux logs once again
[user@host ~]# audit2allow -l -a
  • If everything went smooth set SELinux to enforcing again
setenforce 1
Retrieved from "https://quehenberger.org/queowiki/index.php?title=Linux:SELinux_Useful_Tips&oldid=10"