Welcome!
Today, I’ll show you how to create local policy module for testing purposes or workaround while issue will be fixed in our distro selinux-policy. Local modules will be written in CIL (common intermediate language) so this post concerns Fedora 23 and higher.
As an example we can look on following BZ:
https://bugzilla.redhat.com/show_bug.cgi?id=1349998
In description of BZ we can find this AVC:
type=AVC msg=audit(1466793837.663:1360): avc: denied { setrlimit }
for pid=15770 comm="zabbix_agentd" scontext=system_u:system_r:zabbix_agent_t:s0
tcontext=system_u:system_r:zabbix_agent_t:s0 tclass=process permissive=0
Important parts of AVC for us:
avc: denied { setrlimit }
scontext=system_u:system_r:zabbix_agent_t:s0
tcontext=system_u:system_r:zabbix_agent_t:s0
tclass=process
From these parts we can create allowing rule in CIL. Template for creating allow rules:
(allow source_context target_context (tclass (permissions)))
If we apply template on our AVC it looks like this:
(allow zabbix_agent_t zabbix_agent_t(process (setrlimit)))
Now, we add this line to file:
(Note: Name of your local module must be different than any other used in distro policy!)
$ cat zabbix_setrlimit.cil
(allow zabbix_agent_t zabbix_agent_t(process (setrlimit)))
Finally, we could load this local module into kernel:
# semodule -i zabbix_setrlimit.cil
And that’s it! Rule from AVC report is loaded into kernel! You can verify it using:
$ sesearch -A -s zabbix_agent_t -t zabbix_agent_t -c process -p setrlimit
Found 1 semantic av rules:
allow zabbix_agent_t zabbix_agent_t : process { fork sigchld sigkill sigstop signull signal getsched setsched setpgid getcap setrlimit } ;
Pretty easy, don’t you think? 😉