We had to create a selinux rpm for our ulyaoth-nginx-pagespeed rpm and the steps below is how we generated the policy.
First install the required package “policycoreutils-python”:$ yum install policycoreutils-python
Simply start the program that does not work and then check the file with audit2allow:$ audit2allow -i /var/log/audit/audit.log
For me it showed something like this:#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_execmem'
allow httpd_t self:process execmem;
Now less the file:$ less /var/log/audit/audit.log
then search for the “denied” rule in our case it was as compared to the above output:type=AVC msg=audit(1428051444.093:882): avc: denied { execmem } for pid=1084 comm="nginx" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process
Copy that line and then create a new file.$ vi ulyaoth.txt
and paste the copied line and save it.
Now let autdit2allow create a policy file for it:$ audit2allow -M ulyaoth < ulyaoth.txt
The output you get is this:******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i ulyaoth.pp
If you now look you have two file:ulyaoth.pp
ulyaoth.te
ulyaoth.pp is the binary file that you can use to install the policy with the command:semodule -i ulyaoth.pp
ulyaoth.te this is the source file that shows the policy that will be installed for us the file looks like this:module ulyaoth 1.0;
require {
type httpd_t;
class process execmem;
}
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_execmem'
allow httpd_t self:process execmem
Now we could add the file into a spec file to be installed as show here:
https://github.com/ulyaoth/repository/blob/master/ulyaoth-nginx-pagespeed/SPECS/ulyaoth-nginx-pagespeed-selinux.spec
We are aware you can let audit2allow to just make a policy file directly from audit.log however I had some other stuff blocked that I was not interested in and then I had to edit the ulyaoth.te and compile it again so it was easier to just copy paste it in a own text file.
