First, I seeded the audit log by trying to access files from lighttpd, then I looked at the last few lines of audit.log and made a module using audit2allow.
[root@server ~]# tail -1000 /var/log/audit/audit.log |audit2allow -m lighttpd >lighttpd.te
[root@server ~]# cat lighttpd.te
module lighttpd 1.0;
require {
type httpd_t;
type samba_share_t;
class dir { read getattr search };
class file { write read getattr lock };
class lnk_file { write read getattr lock };
}
#============= httpd_t ==============
allow httpd_t samba_share_t:dir {read getattr search};
allow httpd_t samba_share_t:lnk_file {read};
allow httpd_t samba_share_t:file {getattr};
[root@server ~]#
Next I create the module with check_module and package it with semodule_package
[root@server ~]# checkmodule -M -m -o lighttpd.mod lighttpd.te
checkmodule: loading policy configuration from lighttpd.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 6) to lighttpd.mod
[root@server ~]# semodule_package -o lighttpd.pp -m lighttpd.mod
[root@server ~]# semodule -i lighttpd.pp
If your module doesn't fix the problem after that, turn off the noaudit module and try to access the content again.
[root@server ~] semodule -b /usr/share/selinux/targeted/enableaudit.pp
After you have found all the allows you need, you can enable the default policy again with this
[root@server ~] semodule -b /usr/share/selinux/targeted/base.pp