making an selinux module quickly

By thomas, 24 July, 2009
In this example I was trying to serve files up from samba and lighttpd at the same time. I made the type for the files samba_share_t. After that, lighttpd couldn't access the files. I needed to make an selinux module to fix the problem. Here are the steps to create the module quickly.

First, I seeded the audit log by trying to access files from lighttpd, then I looked at the last few lines of audit.log and made a module using audit2allow.

[root@server ~]# tail -1000 /var/log/audit/audit.log |audit2allow -m lighttpd >lighttpd.te [root@server ~]# cat lighttpd.te module lighttpd 1.0; require { type httpd_t; type samba_share_t; class dir { read getattr search }; class file { write read getattr lock }; class lnk_file { write read getattr lock }; } #============= httpd_t ============== allow httpd_t samba_share_t:dir {read getattr search}; allow httpd_t samba_share_t:lnk_file {read}; allow httpd_t samba_share_t:file {getattr}; [root@server ~]#

Next I create the module with check_module and package it with semodule_package [root@server ~]# checkmodule -M -m -o lighttpd.mod lighttpd.te checkmodule: loading policy configuration from lighttpd.te checkmodule: policy configuration loaded checkmodule: writing binary representation (version 6) to lighttpd.mod [root@server ~]# semodule_package -o lighttpd.pp -m lighttpd.mod [root@server ~]# semodule -i lighttpd.pp If your module doesn't fix the problem after that, turn off the noaudit module and try to access the content again. [root@server ~] semodule -b /usr/share/selinux/targeted/enableaudit.pp After you have found all the allows you need, you can enable the default policy again with this [root@server ~] semodule -b /usr/share/selinux/targeted/base.pp