Following is a quick how-to on compiling and adding addition SELinux modules.
When configuring and deploying new and/or custom services on systems that are enforcing SELinux you will likely have to compile addition SELinux modules.
This how-to includes how to go through each step of compiling a new module one-by-one; similar to the model of breaking down the compilation of C and C++ into it’s composite steps.
Step 1: Gather the audit.log entries
You will need to determine which action(s) that SELinux is blocking. To do so, you can tail the /var/log/audit/audit.log file. You will see something similar to the following
type=AVC msg=audit(1517605342.101:88032): avc: denied { write } for pid=7236 comm="check_zookeeper" path="/tmp/sh-thd-1517587323" dev="dm-0" ino=308042 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1517605342.101:88032): arch=c000003e syscall=2 success=no exit=-13 a0=1e2df10 a1=2c1 a2=180 a3=0 items=0 ppid=7232 pid=7236 auid=4294967295 uid=997 gid=994 euid=997 suid=997 fsuid=997 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="check_zookeeper" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=PROCTITLE msg=audit(1517605342.101:88032): proctitle=2F62696E2F62617368002F7573722F6C6F63616C2F6E6167696F732F706C7567696E732F636865636B5F7A6F6F6B65657065722E7368002D2D73746174Take that output and save it into a file.
Step 2: Generate the Type Enforcement (te) File From the Log Output
audit2allow -m new-module > new-module.te < audit-log-outputStep 3: Check and Compile the SELinux Security Policy Module (mod) File From the .te File
checkmodule -M -m -o new-module.mod new-module.te
Step 4: Create the SELinux Policy Module Packet (pp) File From the .mod File
semodule_package -o new-module.pp -m new-module.modStep 5: Install the SELinux Policy Module
semodule -i new-module.pp