From Fedora Project Wiki
< SELinux | LoadableModules
fp-wiki>ImportUser (Imported from MoinMoin) |
(added category SELinux) |
||
| (3 intermediate revisions by 2 users not shown) | |||
| Line 20: | Line 20: | ||
</pre> | </pre> | ||
{{ | {{Admon/caution | You need to have have the <code>checkpolicy</code> package installed to build policy modules}} | ||
* Audit2allow creates loadable module that looks like: | * Audit2allow creates loadable module that looks like: | ||
| Line 42: | Line 42: | ||
* semodule -r spamd # remove the module | * semodule -r spamd # remove the module | ||
* semodule -l # list all loadable modules | * semodule -l # list all loadable modules | ||
[[Category:SELinux]] | |||
Latest revision as of 18:14, 15 August 2015
audit2allow creating loadable modules
- Problem: User reports seeing the following AVC message
type=AVC msg=audit(1138596151.681:104174): avc: denied { name_connect } for pid=23796 comm="spamd" dest=389 scontext=root:system_r:spamd_t tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
- Solution: use audit2allow to build loadable module to fix problem
Generating type enforcment file: spamd.te Compiling policy: checkmodule -M -m -o spamd.mod spamd.te semodule_package -o spamd.pp -m spamd.mod Building package: semodule_package -o spamd.pp -m spamd.mod ******************** IMPORTANT *********************** In order to load this newly created policy package into the kernel, you are required to execute semodule -i spamd.pp
.png){kind=small}
You need to have have the
checkpolicy package installed to build policy modules- Audit2allow creates loadable module that looks like:
module spamd 1.0;
require {
role object_r;
role system_r;
class tcp_socket name_connect;
type ldap_port_t;
type spamd_t;
};
allow spamd_t ldap_port_t:tcp_socket name_connect;
- semodule -i spamd.pp # Load the module
- semodule -r spamd # remove the module
- semodule -l # list all loadable modules