How to Extract and Package Custom SELinux Policies on CentOS 6.7


2 views

When working with SELinux in permissive mode, administrators often need to create custom policies to allow specific processes to run. The typical workflow involves:

  • Monitoring audit logs for AVC denials
  • Using audit2allow to generate policy modules
  • Compiling and loading these modules

However, many admins (myself included) forget to save the intermediate .te and .pp files during this process, making it difficult to replicate the configuration on other systems.

To view all currently loaded SELinux policy modules (including custom ones):

semodule -l

This will show both base policies and any custom modules you've added. Custom modules typically appear at the bottom of the list.

For CentOS 6.7, you can extract existing custom policies using these steps:

# First, identify your custom modules
semodule -l | grep -v ^base

# For each custom module, extract it
mkdir ~/selinux_backup
for module in $(semodule -l | grep -v ^base | awk '{print $1}'); do
    semodule -E ${module} > ~/selinux_backup/${module}.te
done

To bundle all custom policies into a single redistributable package:

# Create a master policy file
cat ~/selinux_backup/*.te > combined_policy.te

# Compile the policy
checkmodule -M -m -o combined_policy.mod combined_policy.te
semodule_package -o combined_policy.pp -m combined_policy.mod

# Verify the compiled policy
semodule -i combined_policy.pp

For the awstats/logrotate scenario mentioned, here's how you might reconstruct the policy:

# First find relevant AVC denials
grep awstats /var/log/audit/audit.log | audit2allow -m awstats_policy > awstats_policy.te

# Then compile and install
checkmodule -M -m -o awstats_policy.mod awstats_policy.te
semodule_package -o awstats_policy.pp -m awstats_policy.mod
semodule -i awstats_policy.pp
  • Always test new policies in permissive mode first
  • Consider using sealert -a /var/log/audit/audit.log for better analysis
  • For production systems, document each policy change

Create a simple cron job to regularly backup your custom policies:

0 3 * * * root /usr/sbin/semodule -l | grep -v ^base | awk '{print $1}' | xargs -I {} sh -c '/usr/sbin/semodule -E {} > /var/selinux/backups/{}.te'

When troubleshooting SELinux denials, we often create custom policies incrementally using tools like audit2allow. The process typically looks like this:

# Typical workflow for creating custom policies
grep "avc: denied" /var/log/audit/audit.log | audit2allow -m mypolicy > mypolicy.te
checkmodule -M -m -o mypolicy.mod mypolicy.te
semodule_package -o mypolicy.pp -m mypolicy.mod
semodule -i mypolicy.pp

To view all currently loaded SELinux modules (including custom ones):

semodule -lfull

This will display output similar to:

100 my_custom_policy     pp
200 httpd_custom         pp
...

While there's no direct way to "export" policies as a single package, we can:

  1. Identify custom policies (usually higher priority numbers)
  2. Extract them individually
  3. Combine them into a consolidated policy

Here's how to extract a specific policy:

# Extract policy module to .pp file
semodule -E my_custom_policy -o my_custom_policy.pp

# Convert .pp to human-readable .te
semodule_unpackage my_custom_policy.pp my_custom_policy.mod my_custom_policy.te

To combine multiple custom policies into one:

# Create a temporary directory
mkdir policy_merge
cd policy_merge

# Extract all custom policies
for module in $(semodule -l | awk '$1 > 200 {print $1}'); do
    semodule -E $module -o ${module}.pp
    semodule_unpackage ${module}.pp ${module}.mod ${module}.te
    cat ${module}.te >> combined_policy.te
done

# Build the consolidated policy
checkmodule -M -m -o combined_policy.mod combined_policy.te
semodule_package -o combined_policy.pp -m combined_policy.mod

SELinux stores policy modules in /etc/selinux/targeted/modules/active/modules/. You can:

# List all available modules
ls -l /etc/selinux/targeted/modules/active/modules/*.pp

# Backup all custom policies
mkdir ~/selinux_backup
cp $(semodule -l | awk '$1 > 200 {print $2}').pp ~/selinux_backup/
  • Always test consolidated policies in permissive mode first
  • Keep original individual policy files when possible
  • Document the purpose of each custom rule in comments
  • Consider using sepolicy generate for more maintainable policies