SElinux is a security mechanism introduced in Linux OS as an extra security layer. There are probably many things to be mentioned about selinux so I’m not going to discuss about the main concepts that make up selinux such as labeling and targeting. I’ll show you in this article how to create a new selinux policy (also known as module) and install it on a machine.
You can check the selinux status by typing getenforce without any parameters. You can then use setenforce 0 command to change it to permissive or setenforce 1 again to enforce it:
All SElinux messages are logged in /var/log/audit/audit.log, you can inspect this file to determine what applications are blocked from interacting with the Operating System. /var/log/messages is another location in which you can find useful information about selinux logs. As you will probably see, the log file contains a bunch of information that is hard to read, you can use the audit2allow -w -a command to display a more friendlier output. This command will parse the audit.log file ( -a parameter) and then will create a friendlier output (-w parameter) that looks something like:
In SElinux context all log messages are named AVC so you will see them everywhere in the audit log file.
You can view all SElinux rejected accesses using the audit2allow -a command:
This command can also be used to parse the log file then create a module that can be imported by SElinux to allow access. Execute audit2allow -a -M module_name to create a new SElinux module. I’ve named mine zabbixdiamond and placed it in my home directory. The command will create two files, one with .pp and another one with .te extension:
audit2allow -a -M zabbixdiamond
You can view the content of the selinux module by executing cat zabbixdiamond.te command. As you can see from the image below, the module contains all the rules that are needed by SElinux to allow this particular AVC :
All that’s left now is to install the module using the following command: semodule -i zabbixdiamond.pp. If you encounter an error saying something that “global requirements are not met” it means that SElinux already has a module with a similar name installed on the machine so you’ll need to change its name:
In this case you will have to restart the procedure and create a new SElinux module with a different name. To check what modules are installed on the server use semodule -l. You can expand this command and search for a particular SElinux module with semodule -l | grep zabbixdiamond . In this way you also verify if a SElinux module has been successfully loaded in the OS.
Execute again audit2allow -a and see if the AVCs are now allowed in SElinux:
That’s about it for this article folks, hope it will serve you well in creating SElinux policies. Wish you all the best!