5

I have a script that, when invoked, will cause the contents of dmesg to be written to a file, with the file's name basically being a timestamp. SELinux prevents this. Following the advice of Fedora's SELinux troubleshooting app, I tried:

grep dmesg /var/log/audit/audit.log | audit2allow -M mypol

semodule -i mypol.pp

However, this doesn't seem to work, probably because the name of the file it's creating is different every time. So how do I tell SELinux to allow dmesg to create (and write to) any file in a certain directory? Or tell it that the script in question (and all the processes it spawns) can do that?

Improve this question

2 Answers 2

Reset to default
1

You need to learn how to filter AVC denials and how to write a custom policy module to allow access to an specific action (you script, in this case).

I'd start by removing the module you inserted above, to start a-new:

# semodule -r mymodule.pp

Afterwards, run your script:

# date && ./my_script.sh

The date invocation is useful to filter AVC denials based on timestamp.

Next, use the usual method to debug AVC denials, which makes use of the ausearch(8) command:

# ausearch -m avc -ts $timestamp | audit2allow

Check the manpage for further information on the switches you can use, specifically the -ts flag.

With this information you'll know what is being denied based on the existing policy.

Now you should determine whether to grant this access or not. Let's suppose you want to grant access. You would need to create a custom policy module describing the rules defining the access you want to grant. This is more or less simple depending on the complexity of your script:

# ausearch -m avc -ts 10:40:00 | audit2allow -m my_script > my_script.te

This will produce a type enforcement description.

You should proceed to review the code to ensure its correctness and compile the type enforcement code into a module:

# checkmodule -M -m -o my_script.mod my_script.te

The module must be packaged into a policy package for you to be able to load it and unload it at will:

# semodule_package -o my_script.pp -m my_script.mod

Now, you can load the policy using:

# semodule -i my_script.pp

Check it is correctly loaded:

# semodule -l | grep my_script

Then, try to trigger the denials again and see if there are more (different) alerts in the audit log regarding this same process.

Further editions of the type enforcement code will need the version (1.0) to be updated, or loading the package will fail. Once compiled and packaged, updating the policy package is done issuing:

# semodule -u my_script.pp

There is a lot to learn when starting with SELinux. Some useful references:

  • The manpages of the commands.
  • Check also the output of apropos selinux.

From the RHEL docs

A good introductory presentation by Dave Quigley:

Improve this answer
1

You can run semanage permissive -a dmesg_t. Then /bin/dmesg, whose type is dmesg_t, will run in permissive mode. It will be allowed access but SELinux will still generate AVC messages.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.