How to create a SELinux policy module with existing output from audit2allow?SELinux - allowing rsyslog open/read access to some filesSELinux: allow a process to create any file in a certain directoryCreate an RPM to distribute a custom SELinux policyHow to get SELinux to prevent Apache/HTTPD from reading specific filesSELinux Enforcing is preventing logging into another user account?Where to put the SElinux policy generated by audit2allow?how to create a custom SELinux labelPostfix unable to read ssl certs in default location due to SELinux policy on CentOS 6.7Create custom SELinux file context/type from CILSELinux Interfering With sss_cache

Draw simple lines in Inkscape

Non-Jewish family in an Orthodox Jewish Wedding

Can Medicine checks be used, with decent rolls, to completely mitigate the risk of death from ongoing damage?

Extreme, but not acceptable situation and I can't start the work tomorrow morning

Is there a minimum number of transactions in a block?

Shell script can be run only with sh command

A function which translates a sentence to title-case

How do you conduct xenoanthropology after first contact?

Can I make popcorn with any corn?

Example of a relative pronoun

How to determine if window is maximised or minimised from bash script

How can the DM most effectively choose 1 out of an odd number of players to be targeted by an attack or effect?

Patience, young "Padovan"

How to make payment on the internet without leaving a money trail?

What is GPS' 19 year rollover and does it present a cybersecurity issue?

Is it possible to do 50 km distance without any previous training?

Could a US political party gain complete control over the government by removing checks & balances?

Finding files for which a command fails

cryptic clue: mammal sounds like relative consumer (8)

Chess with symmetric move-square

A Journey Through Space and Time

N.B. ligature in Latex

Does the radius of the Spirit Guardians spell depend on the size of the caster?

Copenhagen passport control - US citizen



How to create a SELinux policy module with existing output from audit2allow?


SELinux - allowing rsyslog open/read access to some filesSELinux: allow a process to create any file in a certain directoryCreate an RPM to distribute a custom SELinux policyHow to get SELinux to prevent Apache/HTTPD from reading specific filesSELinux Enforcing is preventing logging into another user account?Where to put the SElinux policy generated by audit2allow?how to create a custom SELinux labelPostfix unable to read ssl certs in default location due to SELinux policy on CentOS 6.7Create custom SELinux file context/type from CILSELinux Interfering With sss_cache






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








2















I know the standard way of creating a SELinux policy module, like



cat <auditlog_file> | audit2allow -M <module_name>


However, is there a way to create a policy module if all I have is the why output from audit2allow, e.g.



cat <auditlog_file> | audit2allow


Gives me:



#============= httpd_t ==============

allow httpd_t default_t:sock_file write;
allow httpd_t unconfined_t:unix_stream_socket connectto;


How do I create a policy if I have the above output and not the ability to cat the audit log file again and run it through audit2allow -M?






selinux







share|improve this question






























    2















    I know the standard way of creating a SELinux policy module, like



    cat <auditlog_file> | audit2allow -M <module_name>


    However, is there a way to create a policy module if all I have is the why output from audit2allow, e.g.



    cat <auditlog_file> | audit2allow


    Gives me:



    #============= httpd_t ==============

    allow httpd_t default_t:sock_file write;
    allow httpd_t unconfined_t:unix_stream_socket connectto;


    How do I create a policy if I have the above output and not the ability to cat the audit log file again and run it through audit2allow -M?






    selinux







    share|improve this question


























      2












      2








      2








      I know the standard way of creating a SELinux policy module, like



      cat <auditlog_file> | audit2allow -M <module_name>


      However, is there a way to create a policy module if all I have is the why output from audit2allow, e.g.



      cat <auditlog_file> | audit2allow


      Gives me:



      #============= httpd_t ==============

      allow httpd_t default_t:sock_file write;
      allow httpd_t unconfined_t:unix_stream_socket connectto;


      How do I create a policy if I have the above output and not the ability to cat the audit log file again and run it through audit2allow -M?






      selinux







      share|improve this question
















      I know the standard way of creating a SELinux policy module, like



      cat <auditlog_file> | audit2allow -M <module_name>


      However, is there a way to create a policy module if all I have is the why output from audit2allow, e.g.



      cat <auditlog_file> | audit2allow


      Gives me:



      #============= httpd_t ==============

      allow httpd_t default_t:sock_file write;
      allow httpd_t unconfined_t:unix_stream_socket connectto;


      How do I create a policy if I have the above output and not the ability to cat the audit log file again and run it through audit2allow -M?






      selinux




      selinux






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Mar 27 at 17:49









      sebasth

      8,74632450




      8,74632450










      asked Mar 27 at 17:40









      mhchaudhrymhchaudhry

      133




      133




















          1 Answer
          1






          active

          oldest

          votes


















          3














          You can place the output in .te file. In addition you need a few more lines, module and require statements. You need to define module name and version with module statement and required types in require statement.



          module my_module 1.0.0;

          require 
           class sock_file write ;
           class unix_stream_socket connectto ;
           type httpd_t, default_t, unconfined_t;



          allow httpd_t default_t:sock_file write;
          allow httpd_t unconfined_t:unix_stream_socket connectto;


          You can then compile and build the policy module using checkmodule and semodule_package as described in audit2allow man page examples: 



          checkmodule -M -m -o my_module.mod my_module.te
          semodule_package -o my_module.pp -m my_module.mod





          share|improve this answer























          • This worked. Thanks for the detailed explanation and using the sample case that was in my question to provide a thorough solution.

            – mhchaudhry
            Mar 27 at 18:16











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f509045%2fhow-to-create-a-selinux-policy-module-with-existing-output-from-audit2allow%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          3














          You can place the output in .te file. In addition you need a few more lines, module and require statements. You need to define module name and version with module statement and required types in require statement.



          module my_module 1.0.0;

          require 
           class sock_file write ;
           class unix_stream_socket connectto ;
           type httpd_t, default_t, unconfined_t;



          allow httpd_t default_t:sock_file write;
          allow httpd_t unconfined_t:unix_stream_socket connectto;


          You can then compile and build the policy module using checkmodule and semodule_package as described in audit2allow man page examples: 



          checkmodule -M -m -o my_module.mod my_module.te
          semodule_package -o my_module.pp -m my_module.mod





          share|improve this answer























          • This worked. Thanks for the detailed explanation and using the sample case that was in my question to provide a thorough solution.

            – mhchaudhry
            Mar 27 at 18:16















          3














          You can place the output in .te file. In addition you need a few more lines, module and require statements. You need to define module name and version with module statement and required types in require statement.



          module my_module 1.0.0;

          require 
           class sock_file write ;
           class unix_stream_socket connectto ;
           type httpd_t, default_t, unconfined_t;



          allow httpd_t default_t:sock_file write;
          allow httpd_t unconfined_t:unix_stream_socket connectto;


          You can then compile and build the policy module using checkmodule and semodule_package as described in audit2allow man page examples: 



          checkmodule -M -m -o my_module.mod my_module.te
          semodule_package -o my_module.pp -m my_module.mod





          share|improve this answer























          • This worked. Thanks for the detailed explanation and using the sample case that was in my question to provide a thorough solution.

            – mhchaudhry
            Mar 27 at 18:16













          3












          3








          3







          You can place the output in .te file. In addition you need a few more lines, module and require statements. You need to define module name and version with module statement and required types in require statement.



          module my_module 1.0.0;

          require 
           class sock_file write ;
           class unix_stream_socket connectto ;
           type httpd_t, default_t, unconfined_t;



          allow httpd_t default_t:sock_file write;
          allow httpd_t unconfined_t:unix_stream_socket connectto;


          You can then compile and build the policy module using checkmodule and semodule_package as described in audit2allow man page examples: 



          checkmodule -M -m -o my_module.mod my_module.te
          semodule_package -o my_module.pp -m my_module.mod





          share|improve this answer













          You can place the output in .te file. In addition you need a few more lines, module and require statements. You need to define module name and version with module statement and required types in require statement.



          module my_module 1.0.0;

          require 
           class sock_file write ;
           class unix_stream_socket connectto ;
           type httpd_t, default_t, unconfined_t;



          allow httpd_t default_t:sock_file write;
          allow httpd_t unconfined_t:unix_stream_socket connectto;


          You can then compile and build the policy module using checkmodule and semodule_package as described in audit2allow man page examples: 



          checkmodule -M -m -o my_module.mod my_module.te
          semodule_package -o my_module.pp -m my_module.mod






          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Mar 27 at 17:58









          sebasthsebasth

          8,74632450




          8,74632450












          • This worked. Thanks for the detailed explanation and using the sample case that was in my question to provide a thorough solution.

            – mhchaudhry
            Mar 27 at 18:16

















          • This worked. Thanks for the detailed explanation and using the sample case that was in my question to provide a thorough solution.

            – mhchaudhry
            Mar 27 at 18:16
















          This worked. Thanks for the detailed explanation and using the sample case that was in my question to provide a thorough solution.

          – mhchaudhry
          Mar 27 at 18:16





          This worked. Thanks for the detailed explanation and using the sample case that was in my question to provide a thorough solution.

          – mhchaudhry
          Mar 27 at 18:16

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f509045%2fhow-to-create-a-selinux-policy-module-with-existing-output-from-audit2allow%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -selinux
          -

          Popular posts from this blog

          Mobil Contents History Mobil brands Former Mobil brands Lukoil transaction Mobil UK Mobil Australia Mobil New Zealand Mobil Greece Mobil in Japan Mobil in Canada Mobil Egypt See also References External links Navigation menuwww.mobil.com"Mobil Corporation"the original"Our Houston campus""Business & Finance: Socony-Vacuum Corp.""Popular Mechanics""Lubrite Technologies""Exxon Mobil campus 'clearly happening'""Toledo Blade - Google News Archive Search""The Lion and the Moose - How 2 Executives Pulled off the Biggest Merger Ever""ExxonMobil Press Release""Lubricants""Archived copy"the original"Mobil 1™ and Mobil Super™ motor oil and synthetic motor oil - Mobil™ Motor Oils""Mobil Delvac""Mobil Industrial website""The State of Competition in Gasoline Marketing: The Effects of Refiner Operations at Retail""Mobil Travel Guide to become Forbes Travel Guide""Hotel Rankings: Forbes Merges with Mobil"the original"Jamieson oil industry history""Mobil news""Caltex pumps for control""Watchdog blocks Caltex bid""Exxon Mobil sells service station network""Mobil Oil New Zealand Limited is New Zealand's oldest oil company, with predecessor companies having first established a presence in the country in 1896""ExxonMobil subsidiaries have a business history in New Zealand stretching back more than 120 years. We are involved in petroleum refining and distribution and the marketing of fuels, lubricants and chemical products""Archived copy"the original"Exxon Mobil to Sell Its Japanese Arm for $3.9 Billion""Gas station merger will end Esso and Mobil's long run in Japan""Esso moves to affiliate itself with PC Optimum, no longer Aeroplan, in loyalty point switch""Mobil brand of gas stations to launch in Canada after deal for 213 Loblaws-owned locations""Mobil Nears Completion of Rebranding 200 Loblaw Gas Stations""Learn about ExxonMobil's operations in Egypt""Petrol and Diesel Service Stations in Egypt - Mobil"Official websiteExxon Mobil corporate websiteMobil Industrial official websiteeeeeeeeDA04275022275790-40000 0001 0860 5061n82045453134887257134887257

          Image
          Aera EnergyEssoEsso AustraliaExxonExxon NeftegasHumble OilImperial OilMagnolia Petroleum CompanyMobilMobil Producing NigeriaPetronSeaRiver MaritimeSuperior Oil CompanySyncrudeVacuum Oil CompanyXTO EnergyBaton Rouge RefineryBaytown RefineryMilford HavenExxon Building (New York)Fawley RefineryImperial Oil BuildingMossmorranNanticoke Refinery2010 ExxonMobil oil spill2010 Port Arthur oil spill2013 Mayflower oil spill Exxon Valdez oil spillGreenpoint oil spillSS Atlantic Empress SS Esso Brussels Colony Shale Oil ProjectEast-Prinovozemelsky fieldGoose Creek Oil FieldKearl Oil Sands ProjectKizomba deepwater projectOrmen LangePembina oil fieldPrudhoe Bay Oil FieldSable Offshore Energy ProjectSakhalin-ITengiz FieldTern oilfieldTuapse fieldWest Qurna FieldNational OilSasolSparSpar Express759 Store7-ElevenCircle KCUDaily YamazakiFamilyMartGS25LawsonMinistopParknShopPoplarSparStorywayVanGOemartSparampmBuy the WayBP ConnectCircle K SunkusDaily StopOn the Run7-ElevenBargain BoozeBest-OneBP ConnectB
          Read more

          Frič See also Navigation menuinternal link

          Image
          SurnamesCzech-language surnames ‹ The template Infobox surname is being considered for merging. › Frič Origin Language(s) Czechized German (eastern Middle German dialects and Alemannic German) - Thuringian, Upper Saxon, Low Lusatian, Silesian Meaning derived from German: Friedrich Other names Variant(s) Fritsch, Fritzsch, Frycz, Fricz, Fryczyński, Frietsch, Fritsche, Fritzsche; Fritschi (Alemannic), Fritz, Fritze, Fritzel, Fritzl, Fritzke, Fritzen Frič is a Czechized German surname. Notable people with the surname include: Alberto Vojtěch Frič, Czech botanist Antonín Jan Frič (Fritsch) , Czech paleontologist Jaroslav Erik Frič, Czech poet Martin Frič, Czech film director, screenwriter and actor See also Fričovce (Hungarian: Frics ) .mw-parser-output table.dmboxclear:both;margin:0.9em 1em;border-top:1px solid #ccc;border-bottom:1px solid #ccc;background-color:transparent Surname list This page lists people with the surname Frič . If an internal link intending to refer to a specifi
          Read more

          Identify plant with long narrow paired leaves and reddish stems Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?What is this plant with long sharp leaves? Is it a weed?What is this 3ft high, stalky plant, with mid sized narrow leaves?What is this young shrub with opposite ovate, crenate leaves and reddish stems?What is this plant with large broad serrated leaves?Identify this upright branching weed with long leaves and reddish stemsPlease help me identify this bulbous plant with long, broad leaves and white flowersWhat is this small annual with narrow gray/green leaves and rust colored daisy-type flowers?What is this chilli plant?Does anyone know what type of chilli plant this is?Help identify this plant

          Image
          Apollo command module space walk? prime numbers and expressing non-prime numbers Can a non-EU citizen traveling with me come with me through the EU passport line? Extract all GPU name, model and GPU ram How to deal with a team lead who never gives me credit? Why was the term "discrete" used in discrete logarithm? Why do we bend a book to keep it straight? When do you get frequent flier miles - when you buy, or when you fly? How come Sam didn't become Lord of Horn Hill? At the end of Thor: Ragnarok why don't the Asgardians turn and head for the Bifrost as per their original plan? Is it true that "carbohydrates are of no use for the basal metabolic need"? Using et al. for a last / senior author rather than for a first author How to tell that you are a giant? How to react to hostile behavior from a senior developer? String `!23` is replaced with `docker` in command line How to find out what spells would be useless to a blind NPC sp
          Read more