SELinux: Compile a policy package

You have generated a SELinux human readable .te file and want to compile it into a .pp policy file.

Prerequisites

Only needed for sealert

yum install setroubleshoot-server

Troubleshooting

This is a series of commands used to troubleshoot a recent zabbix-server service that would not start. It was the results of the ausearch that revealed the semodule command that differed from the result, but worked.

systemctl start zabbix-server; ps aux | grep setroubleshoot
sealert -a /var/log/audit/audit.log
ausearch -c 'zabbix_server' --raw | audit2allow -M my-zabbixserver
semodule -X 300 -i my-zabbixserver.pp

Create a policy

The first command will read through the audit.log file to generate both a .te and .pp file. The .te is human readable. The .pp is compiled. The second command installs that policy.

ausearch -c 'avc' --raw | audit2allow -M mypol
semodule -i mypol.pp

You may be presented with only a human readable file. There are many reasons for this. However the reason, here are the steps to compile a .te file.

mypol.te

Here is an example of a .te file that was generated.

module mypol 1.0;

require {
        type httpd_t;
        type etc_t;
        class dir write;
}

#============= httpd_t ==============

#!!!! WARNING: 'etc_t' is a base type.
allow httpd_t etc_t:dir write;

mypol.pp

Here are the commands used to compile the .te to a .pp file that can be used to modify the SELinux context.

checkmodule -M -m -o mypol.mod mypol.te
semodule_package -o mypol.pp -m mypol.mod

The following command will install the new policy.

semodule -i mypol.pp

Source(s)

  • https://relativkreativ.at/articles/how-to-compile-a-selinux-policy-package
  • https://www.thegeekdiary.com/how-to-install-and-configrue-setroubleshootd-on-centos-rhel/