You have overwritten your previous "allowlist" module with a new one. Because the names of the modules were the same.
To get a broader view of the permissions a particular process needs, you should test the functionality in permissive mode or preferably with the process type declared permissive type (semanage permissive -a/-d mytype_t)
-- make sure to remove any permissive type declarations that you added while testing!:
1. to list existing permissive types: semanage permissive -l
2. to remove a permissive type (mytype_t): semanage permissive -d mytype_t
Example: To read a file successfully various permissions are required in particular order
1. needs to be able to get to the file (traverse parent directories)
2. needs to be able to get attributes of the file (test whether the file exists (test -f myfile )
3. open the file
4. read the file
5. maybe lock the file, use ioctls etc
If any of these steps are blocked then the process might not be able to proceed and it might stop trying
for example if step 2 is blocked by SELinux then the process might think the file does not exist and act accordingly)
So to get the fuller picture you have to make sure that when in a testing phase the process is allowed to do what it wants, but SELinux would log what it would normally would have blocked in enforcing mode
audit2allow with the -r option can be used to tell audit2allow to print out the rules translated from the SELinux events and their requiements.
This output can then be pasted into a new file with a .te suffix
You should manually add a module declaration on top of the file.
echo "module mymodule 1.0.0;" > mymodule.te
ausearch -m avc,user_avc -ts recent | audit2allow -r >> mymodule.te
then you can manually build and install the mymodule.te source policy module (after reviewing the contents of mymodule.te):
checkmodule -M -m mymodule.te -o mymodule.mod
semodule_package -o mymodule.pp -m mymodule.mod
semodule -i mymodule.pp
semodule -l | grep mymodule
Remember that modules with the same module name that are installed using the same priority will be overwritten! and that if theyre not installed with the same priority, that the module on the highest priority takes precedence.
.
although not strictly needed. it is good to keep a copy of the source policy file (mymodule.te) for reference and for your co-workers so that they can see what is in there) . Can also be handy if later on you want to append some new rules to the module.
alternatively you can use semodule to export the loaded version in a readable cil language:
semodule --cil -E mymodule && cat mymodule.cil
Last edited by dac.override; 10-03-2017 at 11:02 AM.
|