• Advertisement
Join the IT Notebook

Any - SELinux - Creating custom policies

Any software title released with a GNU/Linux distribution. Articles are posted in "Linux Distribution - Software Title - Subject" format.

Any - SELinux - Creating custom policies

Postby lmmtux » Wed Mar 25, 2015 2:24 pm

SELinux is a very good security layer on Linux systems but often times can block activity that is needed. This instruction shows how to allow activity while keeping SELinux active on the system.

This instruction was created with CentOS 7. It should apply to most Linux systems.


SELinux is enabled by default out of the box with most Linux installations. SELinux contains policies for the software running on the system to only allow certain actions to be taken by the running software, as well as all actions on directories and files within the filesystem. For example, by default, Apache cannot make a network connection outbound. Some settings like this are changed with booleans (with the setsebool and getsebool programs).

SELinux contains many policies defined for each software package. One policy called "local" can be used to define custom policies when out of the box policies do not work as intended. It is first recommended to install the latest "selinux-policy" package first, and see if it clears up any issues. It not, follow the instructions below to create a custom policy.

Creating Custom Policies

All commands shown are to be run as the "root" user.

  1. Temporarily disable SELinux with this command to make sure SELinux is causing the issue in question.
    Code: Select all
    setenforce 0
  2. If the issue or problem goes away after running this, enable SELinux again and continue. If the problem persists, it is not an SELinux problem.
    Code: Select all
    setenforce 1
  3. Clear all blocked activity first by issuing the command:
    Code: Select all
    audit2allow -m local -l -i /var/log/audit/audit.log > temp.te
  4. Perform the desired action again that was not working
  5. Run the command to capture the permissions that the action is getting blocked for:
    Code: Select all
    audit2allow -m local -l -i /var/log/audit/audit.log > local.te
  6. Take a look at the file "local.te" above. You will notice it has a specific format. The top section contains definitions and the bottom sections contain the actual policies that use the definitions.
  7. Create a "local.mod" file with the command:
    Code: Select all
    checkmodule -M -m -o local.mod local.te
  8. Create a module package with the command:
    Code: Select all
    semodule_package -o local.pp -m local.mod
  9. Enable the policy on the system permanently:
    Code: Select all
    semodule -i local.pp
  10. Save the "local.te" file above. In the future, you must merge any future definitions and sections in to this file and re-run the above commands. Each time the "local" policy is imported, it will overwrite the one currently active.
  11. Re-test the actions. If they continue to fail, re-run the "audit2allow" command and direct to another file named "test.te" or similar. Examine and merge the contents of this file with the "local.te" file and run the "checkmodule", "semodule_package", and "semodule" commands in order as above to import an updated "local" policy.
Posts: 55
Joined: Mon Jul 30, 2012 9:40 pm
Reputation: 0

Return to Linux