[lug] Understanding SElinux "semodule" and "audit2allow"

Orion Poplawski orion at cora.nwra.com
Thu Oct 24 19:58:56 MDT 2013 

On 10/24/2013 5:35 PM, stimits at comcast.net wrote:
> Now I have a new question about notes on the selinux notifications...I
> believe it is setroubleshootd that has the popup tool to notify of
> alerts to selinux. One of the options is to create a local rule when
> selinux is interfering with something which is considered normal and
> valid. The recipe is like this:
>    grep "something audited" /var/log/audit/audit.log | audit2allow -M mypol
>    semodule -i mypol.pp
>
> The result is creation of mypol.tt (human readable) and mypol.pp
> (binary), followed by some form of update which modifies the
> /etc/selinux/ subdirectory area. Since mypol.pp is the
> non-human-readable file going into /etc/selinux/, it's hard to tell how
> it differs from the prior version. Because of some alerts reappearing
> after running several of the above mypol recipes, I'm thinking that this
> does not insert into and thus update /etc/selnux/, perhaps it replaces
> the old mypol with a new mypol (thus losing prior rules). Does the mypol
> file in the system get completely overwritten with only the single most
> recent command? Or does the mypol then contain the sum of the rules
> entered this way? Should there be an alternate file name instead of
> "mypol" each time a new rule is updated for local policy? Is there a
> tool which would allow me to find out what is in the mypol file of
> /etc/selinux/ or any specific binary policy file?

Your suspicion is correct.  Each time you run the above you are creating 
a completely new mypol module and replacing the existing one.  If you no 
longer capture avc denials in /var/log/audit/audit.log (because the are 
allowed in the current mypol), then you will loose those.

Couple things to try:
- grep through all of the old audit.log files as well to capture the 
original denials as well.
- create a new policy module with audit2allow, then merge the .tt files. 
  They aren't too bad once you get the have of them.  You can find rules 
on the web to build .pp from .tt.
- You could do multiple modules, but that seems unwieldy and inelegant.



-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                   http://www.nwra.com

More information about the LUG mailing list