5.4. Creating a local SELinux policy module

Procedure

1. Open a new .cil file with a text editor, for example:

   # vi <local_module>.cil

   To keep your local modules better organized, use the local_ prefix in the names of local SELinux policy modules.

2. Insert the custom rules from a Known Issue or a Red Hat Solution.

   重要

   Do not write your own rules. Use only the rules provided in a specific Known Issue or Red Hat Solution.

   • For example, to resolve SELinux denies cups-lpd read access to cups.sock in RHEL, insert the following rule:

     (allow cupsd_lpd_t cupsd_var_run_t (sock_file (read)))

     The example solution has been fixed permanently for {ProductShortName} in RHBA-2021:4420. Therefore, the parts of this procedure specific to this solution do not affect updated {ProductShortName} 8 and 9 systems, and are included only as examples of syntax.

     You can use either of the two SELinux rule syntaxes, Common Intermediate Language (CIL) and m4. For example, (allow cupsd_lpd_t cupsd_var_run_t (sock_file (read))) in CIL is equivalent to the following in m4:

     module local_cupslpd-read-cupssock 1.0;
     
     require {
         type cupsd_var_run_t;
         type cupsd_lpd_t;
         class sock_file read;
     }
     
     #============= cupsd_lpd_t ==============
     allow cupsd_lpd_t cupsd_var_run_t:sock_file read;

3. Save and close the file.

4. Install the policy module:

   # semodule -i <local_module>.cil

   If you want to remove a local policy module you created by using semodule -i, refer to the module name without the .cil suffix. To remove a local policy module, use semodule -r <local_module>.

5. Restart any services related to the rules:

   # systemctl restart <service_name>

Verification

1. List the local modules installed in your SELinux policy:

   # semodule -lfull | grep "local_"
   400 local_module  cil

   Because local modules have priority 400, you can filter them from the list also by using that value, for example, by using the semodule -lfull | grep -v ^100 command.

2. Search the SELinux policy for the relevant allow rules:

   # sesearch -A --source=<SOURCENAME> --target=<TARGETNAME> --class=<CLASSNAME> --perm=<P1>,<P2>

   Where <SOURCENAME> is the source SELinux type, <TARGETNAME> is the target SELinux type, <CLASSNAME> is the security class or object class name, and <P1> and <P2> are the specific permissions of the rule.

   For example, to resolve SELinux denies cups-lpd read access to cups.sock in RHEL:

   # sesearch -A --source=cupsd_lpd_t --target=cupsd_var_run_t --class=sock_file --perm=read
   allow cupsd_lpd_t cupsd_var_run_t:sock_file { append getattr open read write };

   The last line should now include the read operation.

3. Verify that the relevant service runs confined by SELinux:

   1. Identify the process related to the relevant service:

      $ systemctl status <service_name>

   2. Check the SELinux context of the process listed in the output of the previous command:

      $ ps -efZ | grep <process_name>

4. Verify that the service does not cause any SELinux denials:

   # ausearch -m AVC -i -ts recent
   <no matches>

   The -i option interprets the numeric values into human-readable text.