Linux – Adding to existing policy in selinux

linuxSecurityselinux

I just created a custom policy and did the semodule -i test.te.

I reran all my tests after a few days and I noticed there were additional AVC denials in the audit.log.

I want to add the new stuff to my existing test.te file so that I won't have multiple policies. I just want to have one policy and just keep adding to it, is that possible and how?
Thanks in advance.

Best Answer

All the procedure is very well documented in the manpages of audit2allow(1), checkmodule(8) andsemodule(8).

An example workflow would be (all taken from the mentioned manpages):

review local.te and customize as desired


$ cat local.te
  module local 1.0;
       require {
               class file {  getattr open read };
               type myapp_t;
               type etc_t;
        };
       allow myapp_t etc_t:file { getattr open read };

Compile the module


$ checkmodule -M -m -o local.mod local.te

Create the package


$ semodule_package -o local.pp -m local.mod

Load the module into the kernel


$ semodule -i local.pp

Install or replace a non-base policy package.


$ semodule -i httpd.pp

List non-base modules.


$ semodule -l

If your modules are versioned, you might find interesting to use semodule(8) -u switch:


 -u,--upgrade=MODULE_PKG
   upgrade an existing module package, or install if the module does not exist

Best Answer

Related Solutions

Security – Our security auditor is an idiot. How to give him the information he wants

Best way to manage custom ports in SELinux

Related Topic