Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
Chapter 51. Customizing SELinux Policy
In earlier releases of Red Hat Enterprise Linux it was necessary to install the
selinux-policy-targeted-sourcespackages and then to create a
local.tefile in the
/etc/selinux/targeted/src/policy/domains/miscdirectory. You could use the
audit2allowutility to translate the AVC messages into allow rules, and then rebuild and reload the policy.
The problem with this was that every time a new policy package was released it would have to execute the Makefile in order to try to keep the local policy.
In Red Hat Enterprise Linux 5, this process has been completely revised. The "sources" rpm packages have been completely removed, and policy packages are treated more like the kernel. To look at the sources used to build the policy, you need to install the source rpm,
selinux-policy-XYZ.src.rpm. A further package,
selinux-policy-devel, has also been added, which provides further customization functionality.
51.1.1. Modular Policy
Red Hat Enterprise Linux introduces the concept of modular policy. This allows vendors to ship SELinux policy separately from the operating system policy. It also allows administrators to make local changes to policy without worrying about the next policy install. The most important command that was added was
semoduleis the tool used to manage SELinux policy modules, including installing, upgrading, listing and removing modules. You can also use
semoduleto force a rebuild of policy from the module store and/or to force a reload of policy without performing any other transaction.
semoduleacts on module packages created by
semodule_package. Conventionally, these files have a .pp suffix (policy package), although this is not mandated in any way.
184.108.40.206. Listing Policy Modules
To list the policy modules on a system, use the
semodule -lamavis 1.1.0 ccs 1.0.0 clamav 1.1.0 dcc 1.1.0 evolution 1.1.0 iscsid 1.0.0 mozilla 1.1.0 mplayer 1.1.0 nagios 1.1.0 oddjob 1.0.1 pcscd 1.0.0 pyzor 1.1.0 razor 1.1.0 ricci 1.0.0 smartmon 1.1.0
This command does not list the base policy module, which is also installed.
/usr/share/selinux/targeted/directory contains a number of policy package (*.pp) files. These files are included in the
selinux-policyrpm and are used to build the policy file.