SELinux Survival Guide 
Wednesday, 10 October 2018, 12:56 - Linux Stuff, RedHat Stuff
On SELinux enabled systems (default on CentosOS/RHEL 6.x and higher), it may deny access when system utilities are called from a daemon's context used for automation or monitoring purposes.

You will see some deny messages within /var/log/audit.log that indicate SELinux is blocking access.

So follow this procedure for simply allow things denied by SELinux policies:

Build SELinux Policy


1. Set concerning context to permissive (will still log whitn audit.log:
semanage permissive -a zabbix_agent_t
2. Allow logging even rules are set to dontaudit:
semodule -DB
3. Now let the programme or script do its intended job.

Important: If the programme is doing things that wouldn't be done at every run, like caching (e.g. yum), try to clean programme's cache before running so you catch everything it may do!

4. Search for log entries and build a policy module & package out of it, analysis beginning from date today" (and optionally a time spec):
ausearch -r -m avc -ts today [HH:MM] | audit2allow -M zabbix_megacli

5. Import policy package:
semodule -i zabbix_megacli.pp

6. Disable permissive mode for context again:
semanage permissive -d zabbix_agent_t

7. Disable logging of rules defined as dontaudit:
semodule -B

8. Test if intended stuff works now!

Adjust policy


When you still see some single denials within audit.log, and quickly what to complete the policy with the rules seen, you may:

1. Edit zabbix_megacli.te and add missing operations like write, lock, etc. to the allow rules - don't forget to also specify those ops within concerning class!

2. Compile module file:
checkmodule -M -m -o zabbix_megacli.mod zabbix_megacli.te
3. (Re-)create the module package from module file:
semodule_package -o zabbix_megacli.pp -m zabbix_megacli.mod

For more info, see here:
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-sel-building-policy-module.html
3. Import policy package:
semodule -i zabbix_megacli.pp


Apply Policy to other hosts


1. Copy the policy package (<policy>.pp) to the host you want to apply policy

2. Run the following command on every machine to load the package:
semodule -i zabbix_megacli.pp

Comments

Add Comment
Fill out the form below to add your own comments.









Insert Special:






Moderation is turned on for this blog. Your comment will require the administrators approval before it will be visible.