selinux:determine_what_permissions_are_needed_by_an_application_to_not_have_selinux_fail_it
SElinux - Determine what permissions are needed by an application to not have SElinux fail it
- Add audit=1 to the kernel options in /boot/grub/grub.conf and then reboot.
- This causes some pretty verbose logging from SElinux to happen, which is what we want.
- Do a setenforce 0 to switch to Permissive mode.
tail /var/log/audit/audit.log
and look for the timestamp for the setenforce message.
- Record it (we’ll call it TIMESTAMP from here)
- Try to have your application do its thing. Wait until it’s completely finished.
grep -A 1000 TIMESTAMP /var/log/audit/audit.log > ~/audit.output
.
- This will drop out all the SElinux log messages since you changed to Permissive mode.
- Read the audit.output file.
- Remove any lines that are obviously not related to the application.
- For example there may be commands that the application itself runs which are not necessary important here.
- Use audit2allow to generate a custom SElinux module with
cat ~/audit.output | audit2allow -M application_local
.
- Read application_local.te and make sure that it’s sane.
- It should only be talking about stuff that related to the application.
- Insert the module into SElinux with
semodule -i application_local.pp’.
- Look at your audit.log and get the timestamp from when the new module was inserted.
- Run the application again.
- This time you should see nothing appear in the audit log.
- If you do, you’ll need to strip out the existing module with
semodule -r application_localand start again.
- Change SElinux to Enforcing mode with
setenforce 1.
- Run the application again, and this time it should work AND you should see nothing in the audit log.
- If it still doesn’t work, start again.
- Remove audit=1 from grub.conf and reboot.
selinux/determine_what_permissions_are_needed_by_an_application_to_not_have_selinux_fail_it.txt · Last modified: 2021/01/04 23:17 by peter