In some cases, you'll need to create a new SELinux policy—for instance, when installing a piece of software from source. Although I do not recommend installing software from source on enterprise systems, this is sometimes your only option for company-developed software.
It is then time to create your own SELinux policy.
We'll use the denied
entries in the audit.log
log file to build our SELinux policy with audit2allow
.
In this recipe, we'll use the same example as in the previous recipe: the SELinux context of /var/www/html/index.html
that is changed to system_u:object_r:user_home_t:s0
. Perform the following steps:
~# egrep 'avc.*denied' /var/log/audit/audit.log |audit2allow -m example_policy module example_policy 1.0; require { type httpd_t; type user_home_t; class file { read open }; } #============= httpd_t ============== #!!!! This avc can be allowed using the boolean 'httpd_read_user_content' allow httpd_t user_home_t:file { read open }; ~#
egrep 'avc.*denied' /var/log/audit/audit.log |audit2allow -M example_policy ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i example_policy.pp ~#
When you generate a module package, two files are created: a type enforcement file (.te
) and a policy package file (.pp
) file. The te
file is the human readable policy as generated using audit2allow -m
.
The pp
file is the SELinux policy module package, which will later be used to enable the new policy.
If you believe you have discovered a bug in an existing SELinux policy, you'll need to produce a type enforcing and policy package file to report with Red Hat Bugzilla.
It's important to make sure that you only parse the correct AVC denial
entries with audit2allow
as it may result in more access than required. It's a good idea to pipe the AVC denial
entries to a temporary file and remove what is not needed before you parse the file with audit2allow
.
If the policy you generate in this way is not exactly what you need, you can always edit the generated te
policy file, and when you're done, compile a new policy file using the te
policy file. You can do this as follows:
~# checkmodule -M -m -o example_policy.mod example_policy.te checkmodule: loading policy configuration from example_policy.te checkmodule: policy configuration loaded checkmodule: writing binary representation (version 17) to example_policy.mod ~#
~# semodule_package -o example_policy.pp -m example_policy.mod ~#
Take a look at the man page for audit2allow(1) for more options on creating a policy
To report bugs, go to https://bugzilla.redhat.com/.