All of the steps required to establish, create and deploy a selinux module.
cat /var/log/audit/audit.log | audit2why
Explains every AVC report.
audit2allow -a -w
Easier to type version of the above command.
Generates readable selinux policy from audit/audit.log and prints it to the terminal.
Generating Generic Modules
audit2allow -a -M POLICYNAME
Generates selinux policy from audit/audit.log POLICYNAME. Policy must be loaded in manually.
semodule -i POLICYNAME.pp
Load policy POLICYNAME manually.
Generate Custome Module
audit2allow -a -m POLICYNAME
Generates uncompiled selinux policy from audit/audit.log named POLICYNAME and file POLICYNAME.te is created. This file may be edited by hand for better debugging. Files must be compiled before it can be loaded in as a module.
checkmodule -M -m -o POLICYNAME.mod POLICYNAME.te
Generate mod from from POLICYNAME.te file. Think of this as a C object files.
semodule_package -m POLICYNAME.mod -o POLICYNAME.pp
Generates a compiled selinux module from a .mod file. It is recommended to keep the .tt file around as it is difficult to reverse engineer what a .pp file does once compiled.
Managing Loaded Modules
List loaded modules on the system
ausearch -m avc -ts recent
Get recent (10 minutes) of AVC messages.
seleart -a /var/log/audit/audit.log
Generates a report of AVC messages and why they are happening.