How to create a SELinux policy module with existing output from audit2allow?SELinux - allowing rsyslog open/read access to some filesSELinux: allow a process to create any file in a certain directoryCreate an RPM to distribute a custom SELinux policyHow to get SELinux to prevent Apache/HTTPD from reading specific filesSELinux Enforcing is preventing logging into another user account?Where to put the SElinux policy generated by audit2allow?how to create a custom SELinux labelPostfix unable to read ssl certs in default location due to SELinux policy on CentOS 6.7Create custom SELinux file context/type from CILSELinux Interfering With sss_cache
Draw simple lines in Inkscape
Non-Jewish family in an Orthodox Jewish Wedding
Can Medicine checks be used, with decent rolls, to completely mitigate the risk of death from ongoing damage?
Extreme, but not acceptable situation and I can't start the work tomorrow morning
Is there a minimum number of transactions in a block?
Shell script can be run only with sh command
A function which translates a sentence to title-case
How do you conduct xenoanthropology after first contact?
Can I make popcorn with any corn?
Example of a relative pronoun
How to determine if window is maximised or minimised from bash script
How can the DM most effectively choose 1 out of an odd number of players to be targeted by an attack or effect?
Patience, young "Padovan"
How to make payment on the internet without leaving a money trail?
What is GPS' 19 year rollover and does it present a cybersecurity issue?
Is it possible to do 50 km distance without any previous training?
Could a US political party gain complete control over the government by removing checks & balances?
Finding files for which a command fails
cryptic clue: mammal sounds like relative consumer (8)
Chess with symmetric move-square
A Journey Through Space and Time
N.B. ligature in Latex
Does the radius of the Spirit Guardians spell depend on the size of the caster?
Copenhagen passport control - US citizen
How to create a SELinux policy module with existing output from audit2allow?
SELinux - allowing rsyslog open/read access to some filesSELinux: allow a process to create any file in a certain directoryCreate an RPM to distribute a custom SELinux policyHow to get SELinux to prevent Apache/HTTPD from reading specific filesSELinux Enforcing is preventing logging into another user account?Where to put the SElinux policy generated by audit2allow?how to create a custom SELinux labelPostfix unable to read ssl certs in default location due to SELinux policy on CentOS 6.7Create custom SELinux file context/type from CILSELinux Interfering With sss_cache
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I know the standard way of creating a SELinux policy module, like
cat <auditlog_file> | audit2allow -M <module_name>
However, is there a way to create a policy module if all I have is the why
output from audit2allow, e.g.
cat <auditlog_file> | audit2allow
Gives me:
#============= httpd_t ==============
allow httpd_t default_t:sock_file write;
allow httpd_t unconfined_t:unix_stream_socket connectto;
How do I create a policy if I have the above output and not the ability to cat the audit log file again and run it through audit2allow -M
?
selinux
add a comment |
I know the standard way of creating a SELinux policy module, like
cat <auditlog_file> | audit2allow -M <module_name>
However, is there a way to create a policy module if all I have is the why
output from audit2allow, e.g.
cat <auditlog_file> | audit2allow
Gives me:
#============= httpd_t ==============
allow httpd_t default_t:sock_file write;
allow httpd_t unconfined_t:unix_stream_socket connectto;
How do I create a policy if I have the above output and not the ability to cat the audit log file again and run it through audit2allow -M
?
selinux
add a comment |
I know the standard way of creating a SELinux policy module, like
cat <auditlog_file> | audit2allow -M <module_name>
However, is there a way to create a policy module if all I have is the why
output from audit2allow, e.g.
cat <auditlog_file> | audit2allow
Gives me:
#============= httpd_t ==============
allow httpd_t default_t:sock_file write;
allow httpd_t unconfined_t:unix_stream_socket connectto;
How do I create a policy if I have the above output and not the ability to cat the audit log file again and run it through audit2allow -M
?
selinux
I know the standard way of creating a SELinux policy module, like
cat <auditlog_file> | audit2allow -M <module_name>
However, is there a way to create a policy module if all I have is the why
output from audit2allow, e.g.
cat <auditlog_file> | audit2allow
Gives me:
#============= httpd_t ==============
allow httpd_t default_t:sock_file write;
allow httpd_t unconfined_t:unix_stream_socket connectto;
How do I create a policy if I have the above output and not the ability to cat the audit log file again and run it through audit2allow -M
?
selinux
selinux
edited Mar 27 at 17:49
sebasth
8,74632450
8,74632450
asked Mar 27 at 17:40
mhchaudhrymhchaudhry
133
133
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
You can place the output in .te
file. In addition you need a few more lines, module
and require
statements. You need to define module name and version with module
statement and required types in require
statement.
module my_module 1.0.0;
require
class sock_file write ;
class unix_stream_socket connectto ;
type httpd_t, default_t, unconfined_t;
allow httpd_t default_t:sock_file write;
allow httpd_t unconfined_t:unix_stream_socket connectto;
You can then compile and build the policy module using checkmodule
and semodule_package
as described in audit2allow
man page examples:
checkmodule -M -m -o my_module.mod my_module.te
semodule_package -o my_module.pp -m my_module.mod
This worked. Thanks for the detailed explanation and using the sample case that was in my question to provide a thorough solution.
– mhchaudhry
Mar 27 at 18:16
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f509045%2fhow-to-create-a-selinux-policy-module-with-existing-output-from-audit2allow%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can place the output in .te
file. In addition you need a few more lines, module
and require
statements. You need to define module name and version with module
statement and required types in require
statement.
module my_module 1.0.0;
require
class sock_file write ;
class unix_stream_socket connectto ;
type httpd_t, default_t, unconfined_t;
allow httpd_t default_t:sock_file write;
allow httpd_t unconfined_t:unix_stream_socket connectto;
You can then compile and build the policy module using checkmodule
and semodule_package
as described in audit2allow
man page examples:
checkmodule -M -m -o my_module.mod my_module.te
semodule_package -o my_module.pp -m my_module.mod
This worked. Thanks for the detailed explanation and using the sample case that was in my question to provide a thorough solution.
– mhchaudhry
Mar 27 at 18:16
add a comment |
You can place the output in .te
file. In addition you need a few more lines, module
and require
statements. You need to define module name and version with module
statement and required types in require
statement.
module my_module 1.0.0;
require
class sock_file write ;
class unix_stream_socket connectto ;
type httpd_t, default_t, unconfined_t;
allow httpd_t default_t:sock_file write;
allow httpd_t unconfined_t:unix_stream_socket connectto;
You can then compile and build the policy module using checkmodule
and semodule_package
as described in audit2allow
man page examples:
checkmodule -M -m -o my_module.mod my_module.te
semodule_package -o my_module.pp -m my_module.mod
This worked. Thanks for the detailed explanation and using the sample case that was in my question to provide a thorough solution.
– mhchaudhry
Mar 27 at 18:16
add a comment |
You can place the output in .te
file. In addition you need a few more lines, module
and require
statements. You need to define module name and version with module
statement and required types in require
statement.
module my_module 1.0.0;
require
class sock_file write ;
class unix_stream_socket connectto ;
type httpd_t, default_t, unconfined_t;
allow httpd_t default_t:sock_file write;
allow httpd_t unconfined_t:unix_stream_socket connectto;
You can then compile and build the policy module using checkmodule
and semodule_package
as described in audit2allow
man page examples:
checkmodule -M -m -o my_module.mod my_module.te
semodule_package -o my_module.pp -m my_module.mod
You can place the output in .te
file. In addition you need a few more lines, module
and require
statements. You need to define module name and version with module
statement and required types in require
statement.
module my_module 1.0.0;
require
class sock_file write ;
class unix_stream_socket connectto ;
type httpd_t, default_t, unconfined_t;
allow httpd_t default_t:sock_file write;
allow httpd_t unconfined_t:unix_stream_socket connectto;
You can then compile and build the policy module using checkmodule
and semodule_package
as described in audit2allow
man page examples:
checkmodule -M -m -o my_module.mod my_module.te
semodule_package -o my_module.pp -m my_module.mod
answered Mar 27 at 17:58
sebasthsebasth
8,74632450
8,74632450
This worked. Thanks for the detailed explanation and using the sample case that was in my question to provide a thorough solution.
– mhchaudhry
Mar 27 at 18:16
add a comment |
This worked. Thanks for the detailed explanation and using the sample case that was in my question to provide a thorough solution.
– mhchaudhry
Mar 27 at 18:16
This worked. Thanks for the detailed explanation and using the sample case that was in my question to provide a thorough solution.
– mhchaudhry
Mar 27 at 18:16
This worked. Thanks for the detailed explanation and using the sample case that was in my question to provide a thorough solution.
– mhchaudhry
Mar 27 at 18:16
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f509045%2fhow-to-create-a-selinux-policy-module-with-existing-output-from-audit2allow%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
-selinux