Matthew Ames


Matthew Ames - 2016-03-01 - 8:52 am

Modifying a policy

chcon -u system_u /etc/afile
semanage fcontext -a -s system_u -t etc_t "/etc/afile"

Creating a policy from logs

Make the logs a little more human readable

sealert -a /var/log/audit/audit.log > /path/to/mylogfile.txt

Install the required application

yum install policycoreutils-python || dnf install policycoreutils-python-utils

Isolate what you’re trying to allow

grep ${SERVICE} /var/log/audit/audit.log

Use the above to create a Type Enforcement policy

grep ${SERVICE} /var/log/audit/audit.log | audit2allow -m ${MODULENAME} > ${MODULENAME}.te

Create the module file (no .pp extension)

grep ${SERVICE} /var/log/audit/audit.log | audit2allow -M ${MODULENAME}

Import the module

semodule -i ${MODULENAME}.pp