/SELinux-Tools

My collection of SELinux related Software/Policies/etc that make my life easier in managing SELinux.

Primary LanguageShellGNU General Public License v2.0GPL-2.0

SELinux-Tools

My collection of SELinux related Software/Policies/etc that make my life easier in managing SELinux.

compilete

How to compile a .te file into .pp:

Sometimes audit2allow will fail to generate a valid .te file, which results in compilation errors. After modifying the .te to be valid, you can manually compile it with checkmodule and semodule_package , but this takes up time.

compilete will take a filename as the first argument and attempt to compile any .te files with that name in the current directory. For example: compilete myModule.te. It will output a .mod and .pp file with the same name as the .te . If the .pp file is successfully generated, you can load it with semodule -i myModule.pp

This saves a ton of time from looking at the audit2allow man page to find the checkmodule and semodule_package syntax for manual compilation, as well as having to type those commands out.

Place in /usr/bin/compilete for best usage.

domtrans_example.txt

When making custom SELinux policies, I ran into an issue where a custom SELinux policy was launching under context of the parent process and was not properly transitioning. When checking the AVC denials in the audit log, you will see the parent process requesting "execute_no_trans" on the custom type you created.

This example shows what you need to add to your .te file before you compile it to force the transition to the proper policy.