How to create a custom SELinux policy for CentOS

Utils

09 April 2014

This article has been migrate from the old blog.

How to use selinux on your Redhat/CentOS server.

Check if selinux is enabled/disabled:

sestatus

Disable on the fly selinux

setenforce 0

Enable on-the-fly selinux

setenforce 1

Install utilities to be able to change selinux policies

                              yum install policycoreutils policycoreutils-python
yum install -y setroubleshoot

Check for selinux errors

                              cat /var/log/audit/audit.* /var/log/messages* | audit2allow

                            

Create selinux rules based on what was found on logs

                              cat /var/log/audit/audit.* /var/log/messages* | audit2allow -M mysemanage

                            

Apply the rules on the system

sudo semodule -i mysemanage.pp

In case you run in to trouble and even after applying the pp file your app will still be blocked use the following commands

semodule -BD

After run again the command to generate the rules and apply the new rules and after run the below command

semodule -B

Disable selinux
```
setenforce 0
```
Run the app which is blocked be selinux, after check selinux logs with the command
```
cat /var/log/audit/audit.* /var/log/messages* | audit2allow
```

Build the rules with the command

                                  cat /var/log/audit/audit.* /var/log/messages* | audit2allow -M myapprule

                                

Apply the created rule
```
sudo semodule -i myapprule.pp
```
Enable selinux
```
setenforce 1
```
Test your app
If the above steps doesn’t work then
```
echo 0 > /selinux/enforce
```
Clean selinux rules
```
semodule -BD
```
Go back and do the steps 2,3,4,5 and 6. If your app works then run the command
```
semodule -B
```
After applying the new rule do not run the process again. You will most probably lose all the policies. In case you have a new feature which is blocked by selinux run the followings commands
```
cat /var/log/audit/audit.* /var/log/messages* | audit2allow
```

Find in the list which policy is blocked. Will look like this

                                  #!!!! This avc can be allowed using the boolean 'httpd_use_nfs' 
allow httpd_t nfs_t:dir write;

Check your selinux policy and you will see that httpd_use_nfs = off
```
getsebool -a | grep httpd
```
Enable the policy
```
setsebool -P httpd_use_nfs 1
```
Restore selinux context to a folder
```
restorecon -R -v /folder_name
```

To update an existing .te selinux policy follow the steps below

                                  checkmodule -M -m -o mysemanage.mod mysemanage.te
semodule_package -m mysemanage.mod -o mysemanage.pp

>>> Please Allow cookies in order to post or read comments. <<<

Contact Info