Tips & Tricks

How to create a SELinux policy module file

We had to create a selinux rpm for our ulyaoth-nginx-pagespeed rpm and the steps below is how we generated the policy.

First install the required package “policycoreutils-python”:
$ yum install policycoreutils-python

Simply start the program that does not work and then check the file with audit2allow:
$ audit2allow -i /var/log/audit/audit.log

For me it showed something like this:
#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_execmem'
allow httpd_t self:process execmem;

Now less the file:
$ less /var/log/audit/audit.log

then search for the “denied” rule in our case it was as compared to the above output:
type=AVC msg=audit(1428051444.093:882): avc: denied { execmem } for pid=1084 comm="nginx" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process

Copy that line and then create a new file.
$ vi ulyaoth.txt

and paste the copied line and save it.

Now let autdit2allow create a policy file for it:
$ audit2allow -M ulyaoth < ulyaoth.txt

The output you get is this:
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i ulyaoth.pp

If you now look you have two file:
ulyaoth.pp
ulyaoth.te

ulyaoth.pp is the binary file that you can use to install the policy with the command:
semodule -i ulyaoth.pp

ulyaoth.te this is the source file that shows the policy that will be installed for us the file looks like this:
module ulyaoth 1.0;

require {
type httpd_t;
class process execmem;
}

#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_execmem'
allow httpd_t self:process execmem

Now we could add the file into a spec file to be installed as show here:
https://github.com/ulyaoth/repository/blob/master/ulyaoth-nginx-pagespeed/SPECS/ulyaoth-nginx-pagespeed-selinux.spec

We are aware you can let audit2allow to just make a policy file directly from audit.log however I had some other stuff blocked that I was not interested in and then I had to edit the ulyaoth.te and compile it again so it was easier to just copy paste it in a own text file.

Related posts

Courses I did to become a cloud ninja

Sjir Bagmeijer

How to install a graphical desktop on Fedora Server

Sjir Bagmeijer

Output to Elasticsearch with Rsyslog in Logstash format

Sjir Bagmeijer

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More