Archive: This content is maintained for historical reference. Please note that the specific versions and commands may no longer be compatible with modern systems.
Recently when building a RPM, we needed to create a custom SELinux policy. The following steps outline how we generated that policy.
Step 1: Install Dependencies
First, install the necessary utilities for managing SELinux policies:
yum install policycoreutils-pythonStep 2: Identify the Blocked Actions
Start the application that is failing (in this case, Nginx). Then, use audit2allow to check the audit log for denials:
audit2allow -i /var/log/audit/audit.logIn our case, the output identified a required permission for execmem:
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_execmem'
allow httpd_t self:process execmem;Step 3: Extract Specific Denial Rules
To ensure we only address the relevant issue, search the audit log for the specific “denied” entry:
less /var/log/audit/audit.logLook for the AVC denial line matching the previous output. It should look similar to this:
type=AVC msg=audit(1428051444.093:882): avc: denied { execmem } for pid=1084 comm="nginx" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=processStep 4: Create a Custom Policy Source
Copy that specific line and paste it into a new text file:
vi ulyaoth.txtNote: We choose to manually copy the relevant lines into a text file because
audit2allowcan sometimes pull unrelated blocks from the main log. This method keeps our custom policy clean and focused.
Step 5: Generate the Policy Module
Now, use audit2allow to create the policy module from your text file:
audit2allow -M ulyaoth < ulyaoth.txtThis command generates two files:
- ulyaoth.te: The Type Enforcement source file (human-readable).
- ulyaoth.pp: The compiled policy package (binary).
Step 6: Installation and Implementation
To activate the policy immediately on your system, run:
semodule -i ulyaoth.ppFor distribution, you can include these files in a .spec file to be installed via RPM.
