selinux notes

These are my notes, after learning from Fedora Selinux FAQ

  • Become root. Although you could do this with sudo, it’s more of a pain.
    Also, you may be glad, some day, that you left these files laying around, and the best place for that is in root’s home directory (or a subdirectory.)

  • You must ensure the auditd service is installed and started.
    yum -y install auditd policycoreutils-python
    service auditd start

  • First, make sure there’s nothing in your audit log.
    audit2allow -m local -l -i /var/log/audit/audit.log
    If there is anything in there, clear it out with
    semodule --reload

  • Now, temporarily disable selinux
    setenforce 0

  • Do whatever would normally get blocked.

  • And re-enable selinux
    setenforce 1

  • Make up a new module name, such as “httpdwritehomes” and prepare that module from the list of stuff that was captured in the audit log:
    export newmod=httpdwritehomes
    audit2allow -m $newmod -l -i /var/log/audit/audit.log > $newmod.te
    Be sure to edit that file, read it over, and remove anything that doesn’t belong

  • Note: If nothing appears in the logs, you might have to disable “don’taudit” See
    semodule -DB
    and later
    semodule -B

  • Now compile and install the new module
    checkmodule -M -m -o $newmod.mod $newmod.te
    semodule_package -o $newmod.pp -m $newmod.mod
    semodule -i $newmod.pp

Comments are closed.