PDA

View Full Version : Howto: Rid yourself of SELinux denials by creating custom rules



Firewing1
14th May 2006, 02:42 AM
Hello,

Recently I was advised give try SELinux again, now that FC5 has a updated F.A.Q for it an better policy rules.

I have to say I was pleased that it ran well, but displeased that for example, by ticking 'disable protection for HTTPD daemon' access was still denied to some HTTPD features (specifically: File uploads with PHP, and writing to home directories. There was no option to allow these!) The same went for samba and a few others... I couldn't access or write any of my shares until I made custom rules. Irratating.

I vistited several sites and found out a very nice way to make custom rules that will take audit:denied messages from your logs, turn them into audit:allow SELinux policy rules and then apply them. In other words, you're making custom rules so that a 'denied' message becomes a 'granted' message. So, when something isn't working and SELinux is the culprit, here's how to make a custom rule:

(1) Make sure you're root:
su -

(2) Check your log for audit messages:
dmesg

(3) Next, let's add that to your customaudit.log:

echo 'paste_the_SELinux_denied_message_here' >> customaudit.log
Note the >>. NEVER use a single >: This will overwrite the file, causing a loss of all the previous custom rules. >> appends to the file, so you'll keep your old rules plus the new one.

(4) Run:

audit2allow -M custom_rules < customaudit.log
setenforce 0
semodule -r custom_rules
semodule -i custom_rules.pp
setenforce 1
Your new rules are now installed. If you'd like, the custom_rules.te file will show you the exact SELinux policy rules that were applied.
Enjoy!
Firewing1