How To Compile and Install New SELinux Plicy Modules

Following is a quick how-to on compiling and adding addition SELinux modules.

When configuring and deploying new and/or custom services on systems that are enforcing SELinux you will likely have to compile addition SELinux modules.

This how-to includes how to go through each step of compiling a new module one-by-one; similar to the model of breaking down the compilation of C and C++ into it’s composite steps.

Step 1:  Gather the audit.log entries

You will need to determine which action(s) that SELinux is blocking.  To do so, you can tail the /var/log/audit/audit.log file.  You will see something similar to the following

type=AVC msg=audit(1517605342.101:88032): avc:  denied  { write } for  pid=7236 comm="check_zookeeper" path="/tmp/sh-thd-1517587323" dev="dm-0" ino=308042 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1517605342.101:88032): arch=c000003e syscall=2 success=no exit=-13 a0=1e2df10 a1=2c1 a2=180 a3=0 items=0 ppid=7232 pid=7236 auid=4294967295 uid=997 gid=994 euid=997 suid=997 fsuid=997 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="check_zookeeper" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=PROCTITLE msg=audit(1517605342.101:88032): proctitle=2F62696E2F62617368002F7573722F6C6F63616C2F6E6167696F732F706C7567696E732F636865636B5F7A6F6F6B65657065722E7368002D2D73746174

Take that output and save it into a file.

Step 2: Generate the Type Enforcement (te) File From the Log Output

audit2allow -m new-module > new-module.te < audit-log-output

Step 3:  Check and Compile the SELinux Security Policy Module (mod) File From the .te File

checkmodule -M -m -o new-module.mod new-module.te

Step 4:  Create the SELinux Policy Module Packet (pp) File From the .mod File

semodule_package -o new-module.pp -m new-module.mod

Step 5:  Install the SELinux Policy Module

semodule -i new-module.pp

How to See SELinux Denials That Do Not Show In the audit.log

Or, otherwise know as: SELinux and Silent Denials.

Sometimes when troubleshooting SELinux issues, you will have added new policies for each of the denial causes written to the audit.log, but SELinux will still be denying access . . . and not giving you any further information about it in the audit.log.

Various processes often execute additional system calls that are above an beyond what they need to do for normal operation.  Many of them are blocked, and in order to keep filling the audit.log with harmless denials they are silently dropped.  These are defined by a set of dontaudit rules.

In order to temporarily disable them, issue the following command as root

 # semodule -DB

The -D option disables dontaudit rules and the B option will rebuild the policy.  After this runs, you should see additional information in the auditlog and with that information use audit2allow -i input-file -M output-file to build your .te and .pp files.

After debugging is complete run the following to re-enable the dontaudit rules.

 # semodule -B