audit2allow to the Rescue!

Fortunately, SELinux is also pretty good about logging exactly what happened. If you examine /var/log/audit/audit.log you’ll see entries like these:

It’s a bunch of gobbledook, right? With a bit effort, we can see what’s being denied — read on the _.vsm file, by the varnishstat command. But how do we fix it?

This is where SELinux can get very complicated. Policy files are a magic all their own, and I’ve not really delved very deeply into it. There’s a lot I don’t know. Fortunately, though, the audit2allow tool solves this problem neatly.

Running the tool (with the -m option to provide a policy module name) and feeding it the relevant part of the audit log results in the following output:

The content is that of a simple SELinux security policy. This can then be fed to the various SELinux tools to generate and install the actual policy module. Simple, right?

Note that you should examine this output carefully before using it to generate and install a policy. The grep is indiscriminate, and you might generate policies you didn’t intend to. Don’t be afraid to prune stuff that you don’t think belongs; the worst thing that will likely happen is that you’ll have to start over.

Compiling an SELinux Policy

The output of audit2allow is an SELinux policy source file. These are (for reasons unknown to me) usually stored in files with a .te extension. Don’t forget to verify what you see there before saving it; if it doesn’t look right, then it probably isn’t, and you run SELinux for security purposes, right? Be sure you’re happy with the policy.

Once you have your source file (fio-zabbix-agent.te in our case, matching the module name we gave to audit2allow’s -m option), the next thing you need to do is compile it down into an installable package. This isn’t terribly difficult, but nor is it obvious to the uninitiated. Googling around will eventually lead you to the answer, but finding the whys and wherefores (without wading through a bunch of unnecessary technical nonsense) is a bit more difficult.

This process is accomplished in three steps:

  1. Install the required tools. In RHEL 7.x, these are contained in the checkpolicy, policycoreutils, and policycoreutils-python packages. Use yum to install them, and you’re set; no configuration required.
  2. Compile the text policy down to a binary representation.
  3. Package the binary representation in a package that the SELinux semodule tool can load.

We’ll skip over installing the packages; you already know how to do that, right? Instead, we’ll skip straight to compiling the module to binary. This process is fairly straightforward:

And that’s it. This step will give you the fio-zabbix-agent.mod file, which is the binary representation of the policy. With that done, we can move on to step 3:

Done. You now have the fio-zabbix-agent.pp file.

Now all you have to do is install it.

Leave a comment: