Selinux References
All of the steps required to establish, create and deploy a selinux module.
cat /var/log/audit/audit.log | audit2why
Explains every AVC report.
Requires policycoreutilsaudit2allow -a -w
Easier to type version of the above command.
Requires policycoreutilsaudit2allow -a
Generates readable selinux policy from audit/audit.log and prints it to the terminal.
Requires policycoreutils
Generating Generic Modules
audit2allow -a -M POLICYNAME
Generates selinux policy from audit/audit.log POLICYNAME. Policy must be loaded in manually.
Requires policycoreutilssemodule -i POLICYNAME.pp
Load policy POLICYNAME manually.
Requires policycoreutils
Generate Custome Module
audit2allow -a -m POLICYNAME
Generates uncompiled selinux policy from audit/audit.log named POLICYNAME and file POLICYNAME.te is created. This file may be edited by hand for better debugging. Files must be compiled before it can be loaded in as a module.
Requires policycoreutilscheckmodule -M -m -o POLICYNAME.mod POLICYNAME.te
Generate mod from from POLICYNAME.te file. Think of this as a C object files.
Requires policycoreutilssemodule_package -m POLICYNAME.mod -o POLICYNAME.pp
Generates a compiled selinux module from a .mod file. It is recommended to keep the .tt file around as it is difficult to reverse engineer what a .pp file does once compiled.
Requires policycoreutils
Managing Loaded Modules
semodule -l
List loaded modules on the system
Searching
ausearch -m avc -ts recent
Get recent (10 minutes) of AVC messages.
Requires auditseleart -a /var/log/audit/audit.log
Generates a report of AVC messages and why they are happening.
Requires setroubleshoot-server