Policy application when blocked by SElinux

Use scene

--When it is detected in audit.log that a specific process is blocked by SELinux.

procedure

1. Confirmation of the cause of being blocked by SElinux.

sudo audit2allow -w -a

sudo audit2allow -a

• The audit command is output by referring to audit.log.
• Do not go to see the rotated files (audit.log.X, audit.log-YYYYMMDD).

2. Create a policy file.

 sudo audit2allow -a -M policy file name

• At this point, .te .pp is created.

3. Apply policy

 sudo semodule -i policy file name.pp

4-1. Policy application confirmation.

Confirm that the applied policy is displayed.

sudo semodule -l

4-2. Confirmation of policy application.

4-2-1. Load the sepolicy module.

[stack@rhosp-dir01 ~]$ python
Python 2.7.5 (default, Jun 11 2019, 14:33:56) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> 
>>> import sepolicy
>>> 

4-2-2. Policy application confirmation

 >>> sepolicy.search ([sepolicy.ALLOW], {sepolicy.TARGET:'context in policy file'})

 Example
>>> sepolicy.search([sepolicy.ALLOW],{sepolicy.TARGET:'logrotate_t'})
[{'target': 'domain', 'enabled': True, 'source': 'nagios_openshift_plugin_t', 'permlist': ['read', 'getattr'], 'type': 'allow', 'class': 'lnk_file'},
 abridgement

• Since sepolicy.search can only have two arguments, if a large amount is output, grep the log separately to check the target.