SELinux cheat sheet

SELinux is quite powerful but I never remember how to create a new module off the top of my head so here’s a cheat sheet for it.

First you might want to use audit2allow to help you getting started:

cat /var/log/audit/audit.log | audit2allow -m mymodulelocal > mymodulelocal.te
vim mymodulelocal.te

When you’re happy with the rules in your .te file, it’s time to compile it:

checkmodule -M -m -o mymodulelocal.mod mymodulelocal.te
semodule_package -m mymodulelocal.mod -o mymodulelocal.pp

And finally you can reload your .pp policy file:

semodule -vr mymodulelocal; semodule -vi mymodulelocal.pp

Or as a handy one-liner:

checkmodule -Mmo mymodulelocal.mod mymodulelocal.te && semodule_package -m mymodulelocal.mod -o mymodulelocal.pp && (semodule -vr mymodulelocal || true) && semodule -vi mymodulelocal.pp