RHEL/CentOS 7: Creating SELinux Policies


In some cases, you’ll need to create a new SELinux policy—for instance, when installing a piece of software from source. Although I do not recommend installing software from source on enterprise systems, this is sometimes your only option for company-developed software.

It is then time to create your own SELinux policy.

For this you need to have policycoreutils-python installed.

We’ll use the denied entries in the audit.log log file to build our SELinux policy with audit2allow.

In this tutorial, we’ll use the same example as in the previous tutorial: the SELinux context of /var/www/html/index.html that is changed to system_u:object_r:user_home_t:s0. Perform the following steps:

  1. First, create a human readable policy for verification via the following command:
    ~# egrep 'avc.*denied' /var/log/audit/audit.log |audit2allow -m example_policy
    module example_policy 1.0;
    require {
            type httpd_t;
            type user_home_t;
            class file { read open };
    #============= httpd_t ==============
    #!!!! This avc can be allowed using the boolean 'httpd_read_user_content'
    allow httpd_t user_home_t:file { read open };
  2. When this policy is validated, you can create a compiled SELinux policy file, as follows:
    egrep 'avc.*denied' /var/log/audit/audit.log |audit2allow -M example_policy
    ******************** IMPORTANT ***********************
    To make this policy package active, execute:
    semodule -i example_policy.pp

When you generate a module package, two files are created: a type enforcement file (.te) and a policy package file (.pp) file. The te file is the human readable policy as generated using audit2allow -m.

The pp file is the SELinux policy module package, which will later be used to enable the new policy.

If you believe you have discovered a bug in an existing SELinux policy, you’ll need to produce a type enforcing and policy package file to report with Red Hat Bugzilla.

It’s important to make sure that you only parse the correct AVC denial entries with audit2allow as it may result in more access than required. It’s a good idea to pipe the AVC denial entries to a temporary file and remove what is not needed before you parse the file with audit2allow.

If the policy you generate in this way is not exactly what you need, you can always edit the generated te policy file, and when you’re done, compile a new policy file using the te policy file. You can do this as follows:

  1. Build a binary policy module out of the policy file through this command:
    ~# checkmodule -M -m -o example_policy.mod example_policy.te
    checkmodule:  loading policy configuration from example_policy.te
    checkmodule:  policy configuration loaded
    checkmodule:  writing binary representation (version 17) to example_policy.mod
  2. Create the SELinux policy module package by executing the following:
    ~# semodule_package -o example_policy.pp -m example_policy.mod


Please enter your comment!
Please enter your name here