[CentOS] SELinux policy module sources

Mon May 5 18:38:14 UTC 2008
Ingemar Nilsson <init at kth.se>

Jim Perrin wrote:
> 
> With CentOS 5, you don't really need the selinux module source
> anymore. It's usually enough to clear the logs and in permissive mode,
> run the offending application. Then 'grep yourapp
> /var/log/audit/audit.log | audit2allow -M localmodname'. Check the
> module for sanity and make sure it's not allowing god-knows-what, then
> semodule -i localmodname.  It'll be there on reboot from now on. no
> need (although it's a good idea) to keep the module file hanging
> around.

I know that you can generate policy modules from audit logs with 
audit2allow, but I'd like to know how it all works. This is for a 
variety of reasons:

* Is the denial because of a bug in the policy with the default 
configuration, or because I made some configuration change that requires 
additional permissions? In the first case, a bug report would probably 
be appropriate.
* Maybe the error actually occurs because of some mislabeled file? 
Correcting a label is surely better than adding some unnecessary permission.
* I might want to develop policy modules for our own software, using new 
file contexts and new types. In this case, simply adding avc rules with 
audit2allow would be inappropriate, since the system does not know about 
my planned policy module.
* I'd like to use the source for existing policy modules as inspiration 
for my own work.

In addition, the policy generation tool (accessed through 
system-config-selinux) asks a few questions and then produces a .te, a 
.fc, a .if and (IIRC) a .pp file for my custom software. I know that the 
.te file is compiled into the .pp file, but what about e.g. the .fc 
file? Is it stored somewhere where restorecon will look for it, or is it 
simply used for the initial relabeling? Can I put it somewhere, like a 
/etc/selinux/.../file_contexts.d/ directory (no, it doesn't exist), or 
do I have to add the corresponding rules to the monolithic 
/etc/selinux/.../file_contexts file?

Regards
Ingemar