selinux 設定 透過 audit2allow工具解析權限 執行semodule套用設定

Step 1. 首先安裝policy管理套件

[root@pgrep2 ~]# yum install policycoreutils-python-utils

Step 2. 查看目前被記錄到/var/log/audit/audit.log的相關selinux記錄

[root@pgrep2 ~]# audit2allow -a -w
type=AVC msg=audit(1648541515.585:187): avc:  denied  { execute } for  pid=16614 comm="(pg_ctl)" name="pg_ctl" dev="dm-3" ino=50454990 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1648544255.235:195): avc:  denied  { execute } for  pid=16698 comm="(pg_ctl)" name="pg_ctl" dev="dm-3" ino=50454990 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1648544511.933:197): avc:  denied  { relabelto } for  pid=16719 comm="chcon" name="pg_ctl" dev="dm-3" ino=50454990 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_t:s0 tclass=file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1648544803.422:198): avc:  denied  { execute } for  pid=16802 comm="(pg_ctl)" name="pg_ctl" dev="dm-3" ino=50454990 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

Step 3. 產生需要allow的指令

[root@pgrep2 ~]# audit2allow -a

#============= init_t ==============
allow init_t default_t:file execute;

#============= unconfined_t ==============
allow unconfined_t init_t:file relabelto;

Step 4. 使用audit2allow 自動產生.pp檔，以便semodule應用該檔案

如果是用">"文字匯出te檔，需要透過checkmodule te轉mod、semodule_package mod轉pp，最終由semodule應用pp檔

[root@pgrep2 ~]# audit2allow -a -M init_t.pp
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i init_t.pp.pp

[root@pgrep2 ~]# semodule -i init_t.pp.pp

如果還是一樣被selinux卡住，請重覆執行Step 4，直到selinux完全通過

重覆執行後，最終allow指令變為以下內容

[root@pgrep2 ~]# audit2allow -a 


#============= init_t ==============

#!!!! This avc is allowed in the current policy
allow init_t default_t:file { execute execute_no_trans map open read };

#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t init_t:file relabelto;