Wednesday, September 9, 2009

Fix seLinux problem


I have some avc denials that I would like to allow, how do I do this?


If you have specific AVC messages you can use audit2allow to generate a Type Enforcement file that is ready to load as a policy module.

audit2allow -M local < /tmp/avcs

This creates a local.pp which you can then load into the kernel using semodule -i local.pp. You can also edit the local.te to make additional customizations. To create a module allowing all the denials since the last reboot that you can then customize, execute the following:

audit2allow -m local -l -i /var/log/messages > local.te

Note that the above assumes you are not using the audit daemon. If you were using the audit daemon, then you should use /var/log/audit/audit.log instead of /var/log/messages as your log file. This generates a local.te file, that looks similar to the following:

module local 1.0;

require {
class file { append execute execute_no_trans getattr ioctl read write };
type httpd_t;
type httpd_w3c_script_exec_t;

allow httpd_t httpd_w3c_script_exec_t:file { execute execute_no_trans getattr ioctl read };

You can hand edit this file, removing allow statements that you don't want to allow, and then recompile and reload it using

  • checkmodule -M -m -o local.mod local.te to compile the te file. Note that checkmodule is part of the checkpolicy rpm, so you need to have it installed.

  • semodule_package -o local.pp -m local.mod to create a policy package.

  • semodule -i local.pp to add it to the current machine's running policy. This installs a new module called local with these rules into the module store.

[Note] Important

In order to load this newly created policy package into the kernel, you are required to execute semodule -i local.pp

Note that if you later install another module called local, it will replace this module. If you want to keep these rules around, then you either need to append future customizations to this local.te, or give future customizations a differe

Post a Comment