Summary

In this chapter, you learned:

  • RHEL provides the sepolicy generate command to generate SELinux policy modules for different kinds of applications, such as executable files.

  • Autogenerated policy modules set the application domain to the permissive mode, so you can load the module and run the application to generate AVC errors, which you can filter by application domain or executable file, and assess which policy rules to add to the policy.

  • RHEL provides the audit2allow command which is smart enough to suggest either policy interfaces, when they exist, or standalone allow statements. But it stops at the first match so it may suggest an interface which grant more access than you need.

  • Always review the RHEL interface files in the /usr/share/selinux/devel/include/ directory for comments on interfaces, and also use the macro-expander command to review the allow statements they generate.

  • Creating SELinux policy modules with sepolicy and audit2allow is an interactive process which requires exercising all features of the target application so it generates AVC errors in the audit log.

  • The recommended way of redistributing SELinux policy modules for deploying into multiple systems is by using RPM packages.