Tips & Tricks

How to create a SELinux policy module file

We had to create a selinux rpm for our ulyaoth-nginx-pagespeed rpm and the steps below is how we generated the policy.

First install the required package “policycoreutils-python”:
$ yum install policycoreutils-python

Simply start the program that does not work and then check the file with audit2allow:
$ audit2allow -i /var/log/audit/audit.log

For me it showed something like this:
#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_execmem'
allow httpd_t self:process execmem;

Now less the file:
$ less /var/log/audit/audit.log

then search for the “denied” rule in our case it was as compared to the above output:
type=AVC msg=audit(1428051444.093:882): avc: denied { execmem } for pid=1084 comm="nginx" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process

Copy that line and then create a new file.
$ vi ulyaoth.txt

and paste the copied line and save it.

Now let autdit2allow create a policy file for it:
$ audit2allow -M ulyaoth < ulyaoth.txt

The output you get is this:
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i ulyaoth.pp

If you now look you have two file:
ulyaoth.pp
ulyaoth.te

ulyaoth.pp is the binary file that you can use to install the policy with the command:
semodule -i ulyaoth.pp

ulyaoth.te this is the source file that shows the policy that will be installed for us the file looks like this:
module ulyaoth 1.0;

require {
type httpd_t;
class process execmem;
}

#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_execmem'
allow httpd_t self:process execmem

Now we could add the file into a spec file to be installed as show here:
https://github.com/ulyaoth/repository/blob/master/ulyaoth-nginx-pagespeed/SPECS/ulyaoth-nginx-pagespeed-selinux.spec

We are aware you can let audit2allow to just make a policy file directly from audit.log however I had some other stuff blocked that I was not interested in and then I had to edit the ulyaoth.te and compile it again so it was easier to just copy paste it in a own text file.

Related posts

How to fix the “Pane is dead” error during the installation of Fedora on a HP Proliant server

Sjir Bagmeijer

Rack::OnePiece

Sjir Bagmeijer

Output to Elasticsearch with Rsyslog in Logstash format

Sjir Bagmeijer