From Fedora Project Wiki
m (Fixed template)
(added category SELinux)
 
(One intermediate revision by one other user not shown)
Line 20: Line 20:


</pre>
</pre>
{{Message/warning2 | You need to have have the <code>checkpolicy</code> package installed to build policy modules}}
{{Admon/caution | You need to have have the <code>checkpolicy</code> package installed to build policy modules}}


* Audit2allow creates loadable module that looks like:
* Audit2allow creates loadable module that looks like:
Line 42: Line 42:
* semodule -r spamd    # remove the module
* semodule -r spamd    # remove the module
* semodule -l          # list all loadable modules
* semodule -l          # list all loadable modules
[[Category:SELinux]]

Latest revision as of 18:14, 15 August 2015

audit2allow creating loadable modules

  • Problem: User reports seeing the following AVC message
type=AVC msg=audit(1138596151.681:104174): avc:  denied  { name_connect } for  pid=23796 comm="spamd" dest=389 scontext=root:system_r:spamd_t tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
  • Solution: use audit2allow to build loadable module to fix problem
Generating type enforcment file: spamd.te
Compiling policy: checkmodule -M -m -o spamd.mod spamd.te
semodule_package -o spamd.pp -m spamd.mod
Building package: semodule_package -o spamd.pp -m spamd.mod

******************** IMPORTANT ***********************

In order to load this newly created policy package into the kernel,
you are required to execute

semodule -i spamd.pp

You need to have have the checkpolicy package installed to build policy modules
  • Audit2allow creates loadable module that looks like:
module spamd 1.0;

require {
role object_r;
role system_r;

class tcp_socket name_connect;

type ldap_port_t;
type spamd_t;
};


allow spamd_t ldap_port_t:tcp_socket name_connect;
  • semodule -i spamd.pp # Load the module
  • semodule -r spamd # remove the module
  • semodule -l # list all loadable modules