Selinux References

All of the steps required to establish, create and deploy a selinux module.

• cat /var/log/audit/audit.log | audit2why
  Explains every AVC report.
  Requires policycoreutils

• audit2allow -a -w
  Easier to type version of the above command.
  Requires policycoreutils

• audit2allow -a
  Generates readable selinux policy from audit/audit.log and prints it to the terminal.
  Requires policycoreutils

Generating Generic Modules

• audit2allow -a -M POLICYNAME
  Generates selinux policy from audit/audit.log POLICYNAME. Policy must be loaded in manually.
  Requires policycoreutils

• semodule -i POLICYNAME.pp
  Load policy POLICYNAME manually.
  Requires policycoreutils

Generate Custome Module

• audit2allow -a -m POLICYNAME
  Generates uncompiled selinux policy from audit/audit.log named POLICYNAME and file POLICYNAME.te is created. This file may be edited by hand for better debugging. Files must be compiled before it can be loaded in as a module.
  Requires policycoreutils

• checkmodule -M -m -o POLICYNAME.mod POLICYNAME.te
  Generate mod from from POLICYNAME.te file. Think of this as a C object files.
  Requires policycoreutils

• semodule_package -m POLICYNAME.mod -o POLICYNAME.pp
  Generates a compiled selinux module from a .mod file. It is recommended to keep the .tt file around as it is difficult to reverse engineer what a .pp file does once compiled.
  Requires policycoreutils

Managing Loaded Modules

• semodule -l
  List loaded modules on the system

Searching

• ausearch -m avc -ts recent
  Get recent (10 minutes) of AVC messages.
  Requires audit

• seleart -a /var/log/audit/audit.log
  Generates a report of AVC messages and why they are happening.
  Requires setroubleshoot-server