Creating SELinux policies
In some cases, you'll need to create a new SELinux policy—for instance, when installing a piece of software from source. Although I do not recommend installing software from source on enterprise systems, this is sometimes your only option for company-developed software.
It is then time to create your own SELinux policy.
Getting ready
For this recipe, you need to have policycoreutils-python
installed.
How to do it…
We'll use the denied
entries in the audit.log
log file to build our SELinux policy with audit2allow
.
In this recipe, we'll use the same example as in the previous recipe: the SELinux context of /var/www/html/index.html
that is changed to system_u:object_r:user_home_t:s0
. Perform the following steps:
First, create a human readable policy for verification via the following command:
~# egrep 'avc.*denied' /var/log/audit/audit.log |audit2allow -m example_policy module example_policy 1.0; require { type httpd_t; type user_home_t; class file...