Train Bridge at Swarthmore College crossing Crum Creek

Selinux References

All of the steps required to establish, create and deploy a selinux module.

  • cat /var/log/audit/audit.log | audit2why
    Explains every AVC report.
    Requires policycoreutils

  • audit2allow -a -w
    Easier to type version of the above command.
    Requires policycoreutils

  • audit2allow -a
    Generates readable selinux policy from audit/audit.log and prints it to the terminal.
    Requires policycoreutils

Generating Generic Modules

  • audit2allow -a -M POLICYNAME
    Generates selinux policy from audit/audit.log POLICYNAME. Policy must be loaded in manually.
    Requires policycoreutils

  • semodule -i POLICYNAME.pp
    Load policy POLICYNAME manually.
    Requires policycoreutils

Generate Custome Module

  • audit2allow -a -m POLICYNAME
    Generates uncompiled selinux policy from audit/audit.log named POLICYNAME and file POLICYNAME.te is created. This file may be edited by hand for better debugging. Files must be compiled before it can be loaded in as a module.
    Requires policycoreutils

  • checkmodule -M -m -o POLICYNAME.mod POLICYNAME.te
    Generate mod from from POLICYNAME.te file. Think of this as a C object files.
    Requires policycoreutils

  • semodule_package -m POLICYNAME.mod -o POLICYNAME.pp
    Generates a compiled selinux module from a .mod file. It is recommended to keep the .tt file around as it is difficult to reverse engineer what a .pp file does once compiled.
    Requires policycoreutils

Managing Loaded Modules

  • semodule -l
    List loaded modules on the system


  • ausearch -m avc -ts recent
    Get recent (10 minutes) of AVC messages.
    Requires audit

  • seleart -a /var/log/audit/audit.log
    Generates a report of AVC messages and why they are happening.
    Requires setroubleshoot-server