Categories
Uncategorized

The SELinux Cheatsheet

selinux is a tool that is cool in principal, but in practice is studpidly hard to work with.

Good tutorial on how to use selinux:

List of commands: https://fedoraproject.org/wiki/SELinux/Commands

However, I’ve been making up a cheatsheet of commands to get it to work, without turning it off:

Cheatsheet

# This is from CentOS 8.2
# Make sure the auditing tools are available
dnf install policycoreutils-python-utils setroubleshoot

# disable the dontaudit logs to show all blocked things.
semodule --build --disable_dontaudit

# set enforcing mode off so we get all things that would have been denied
setenforce 0

# watch the audit logs to find what is being blocked - saving to ipam-selinux-blocks.log file
tail -f /var/log/audit/audit.log -n0 | grep denied --line-buffered | tee selinux-blocks.log

# Now run the thing that you want to work

# Have a browse to see what would have been blocked, and remove any lines you don't want to allow
vim selinux-blocks.log

# You can now compile a working module
cat selinux-blocks.log | audit2allow -M allowpolicy
semodule -i allowpolicy.pp

Leave a Reply

Your email address will not be published.