SELinux: Compile a policy package

You have generated a SELinux human readable .te file and want to compile it into a .pp policy file.

 

 

Create a policy

The first command will read through the audit.log file to generate both a .te and .pp file. The .te is human readable. The .pp is compiled. The second command installs that policy.

ausearch -c 'avc' --raw | audit2allow -M mypol
semodule -i mypol.pp

You may be presented with only a human readable file. There are many reasons for this. However the reason, here are the steps to compile a .te file.

mypol.te

Here is an example of a .te file that was generated.

module mypol 1.0;

require {
        type httpd_t;
        type etc_t;
        class dir write;
}

#============= httpd_t ==============

#!!!! WARNING: 'etc_t' is a base type.
allow httpd_t etc_t:dir write;

mypol.pp

Here are the commands used to compile the .te to a .pp file that can be used to modify the SELinux context.

checkmodule -M -m -o mypol.mod mypol.te
semodule_package -o mypol.pp -m mypol.mod

The following command will install the new policy.

semodule -i mypol.pp

 

Source(s)

  • https://relativkreativ.at/articles/how-to-compile-a-selinux-policy-package