Welcome to my website. I am always posting links to photo albums, art, technology and other creations. Everything that you will see on my numerous personal sites is powered by the formVistaTM Website Management Engine.

icon.linkedin.jpgicon.twitter.jpg

  • HowTo Compile and Install New SELinux Plicy Modules
    02/02/2018 4:31PM
    Following is a quick how-to on compiling and adding addition SELinux modules.

    When configuring and deploying new and/or custom services on systems that are enforcing SELinux you will likely have to compile addition SELinux modules.

    This how-to includes how to go through each step of compiling a new module one-by-one; similar to the model of breaking down the compilation of C and C++ into it's composite steps.

    Step 1:  Gather the audit.log entries

    You will need to determine which action(s) that SELinux is blocking.  To do so, you can tail the /var/log/audit/audit.log file.  You will see something similar to the following

    type=AVC msg=audit(1517605342.101:88032): avc:  denied  { write } for  pid=7236 comm="check_zookeeper" path="/tmp/sh-thd-1517587323" dev="dm-0" ino=308042 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
    type=SYSCALL msg=audit(1517605342.101:88032): arch=c000003e syscall=2 success=no exit=-13 a0=1e2df10 a1=2c1 a2=180 a3=0 items=0 ppid=7232 pid=7236 auid=4294967295 uid=997 gid=994 euid=997 suid=997 fsuid=997 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="check_zookeeper" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)
    type=PROCTITLE msg=audit(1517605342.101:88032): proctitle=2F62696E2F62617368002F7573722F6C6F63616C2F6E6167696F732F706C7567696E732F636865636B5F7A6F6F6B65657065722E7368002D2D73746174

    Take that output and save it into a file.


    Step 2: Generate the Type Enforcement (te) File From the Log Output

    audit2allow -m new-module > new-module.te < audit-log-output


    Step 3:  Check and Compile the SELinux Security Policy Module (mod) File From the .te File

    checkmodule -M -m -o new-module.mod new-module.te


    Step 4:  Create the SELinux Policy Module Packet (pp) File From the .mod File

    semodule_package -o new-module.pp -m new-module.mod


    Step 5:  Install the SELinux Policy Module

    semodule -i new-module.pp
Advanced Search

Categories

Archives