Creating new SELinux policy module

Found the instructions here for editing SELinux policy: http://etbe.blogspot.com/2007/03/creating-new-se-linux-policy-module.html

Edited to allow syslog-ng to run on different port other than port 514. I ran the following command to view the avc denied error messages for syslog-ng: dmesg|grep syslog-ng

SE Linux was not allowing tcp connections for syslog-ng. I don’t have the output of the command as a demonstration. Sorry

As root, run the following:

dmesg | grep syslog-ng | audit2allow -m local > local.te

The -m option to audit2allow instructs it to create a policy module.  The local.te file is below:

module local 1.0;
require {
type syslogd_t;
type port_t;
class tcp_socket { name_bind name_connect };
}
#============= syslogd_t ==============
allow syslogd_t port_t:tcp_socket { name_bind name_connect };

Then use the following commands to create a policy module and package it:

checkmodule -M -m -o local.mod local.te

semodule_package -o local.pp -m local.mod

The result was the object file local.pp and an intermediate file local.mod (which incidentally can be removed once the build is finished).

After creating the module I used the following command to link it with the running policy and load it into the kernel:

semodule -i ./local.pp

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s