1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to create a SELinux policy module file.

Discussion in 'Random' started by sbagmeijer, Apr 3, 2015.

  1. sbagmeijer

    sbagmeijer Machine

    Again just as a reminder for myself but it might help others also, I had to create a selinux rpm for my ulyaoth-nginx-pagespeed rpm and the steps below is how I generated the policy.

    First install the required package "policycoreutils-python":
    Code:
    $ yum install policycoreutils-python
    Simply start the program that does not work and then check the file with audit2allow:
    Code:
    $ audit2allow -i /var/log/audit/audit.log
    For me it showed something like this:
    Code:
    #============= httpd_t ==============
    
    #!!!! This avc can be allowed using the boolean 'httpd_execmem'
    allow httpd_t self:process execmem;
    
    Now less the file:
    Code:
    $ less /var/log/audit/audit.log
    then search for the "denied" rule in my case it was as compared to the above output:
    Code:
    type=AVC msg=audit(1428051444.093:882): avc:  denied  { execmem } for  pid=1084 comm="nginx" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process
    Copy that line and then create a new file.
    Code:
    $ vi ulyaoth.txt
    and paste the copied line and save it.

    Now let autdit2allow create a policy file for it:
    Code:
    $ audit2allow -M ulyaoth < ulyaoth.txt
    The output you get is this:
    Code:
    ******************** IMPORTANT ***********************
    To make this policy package active, execute:
    
    semodule -i ulyaoth.pp
    
    If you now look you have two file:
    ulyaoth.pp
    ulyaoth.te

    ulyaoth.pp is the binary file that you can use to install the policy with the command:
    Code:
    semodule -i ulyaoth.pp
    ulyaoth.te this is the source file that shows the policy that will be installed for me the file looks like this:
    Code:
    module ulyaoth 1.0;
    
    require {
            type httpd_t;
            class process execmem;
    }
    
    #============= httpd_t ==============
    
    #!!!! This avc can be allowed using the boolean 'httpd_execmem'
    allow httpd_t self:process execmem
    
    Now I could add the file into a spec file to be installed as show here:
    https://github.com/sbagmeijer/ulyao...ed/SPECS/ulyaoth-nginx-pagespeed-selinux.spec

    I am aware you can let audit2allow to just make a policy file directly from audit.log however I had some other stuff blocked that I was not interested in and then I had to edit the ulyaoth.te and compile it again so it was easier to just copy paste it in a own text file.

    [​IMG]
     
    Last edited: May 10, 2015

Share This Page