Linux:SELinux Useful Tips

From queowiki
Revision as of 12:40, 8 March 2017 by Queo (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Create/Install a local SELinux policy module[edit]

  • Install the policycoreutils-python package if not already installed
[user@host ~]# yum install policycoreutils-python
  • Generate SELinux policy module from logs of denied operations
[user@host ~]# audit2allow -l -a -M <insert-policyname-here>.local
  • Install the policy module
[user@host ~]# semodule -i <insert-policyname-here>.local.pp

Update a local SELinux policy module with additional settings[edit]

  • Set SELinux to permissive mode
[user@host ~]# setenforce 0
  • Install the policycoreutils-python package if not already installed
[user@host ~]# yum install policycoreutils-python
  • Generate SELinux policy allow/dontaudit rules from logs of denied operations
[user@host ~]# audit2allow -l -a
  • Insert these new line(s) into the following policy

Dont forget to insert the class(es)/type(s) and always increment the module version (!) 

[user@host ~]# vim /etc/selinux/<insert-policyname-here>.local.te
  • Compile & update the module
[user@host ~]# cd /etc/selinux/
[user@host selinux]# export POLICYNAME=<insert-policyname-here>.local \
&& checkmodule -M -m -o ${POLICYNAME}.mod ${POLICYNAME}.te \
&& semodule_package -o ${POLICYNAME}.pp -m ${POLICYNAME}.mod \
&& semodule -u ${POLICYNAME}.pp
  • Check the SELinux logs once again
[user@host ~]# audit2allow -l -a
  • If everything went smooth set SELinux to enforcing again
setenforce 1
Retrieved from "https://quehenberger.org/queowiki/index.php?title=Linux:SELinux_Useful_Tips&oldid=20"