SELinux & Building Security Modules - rharmonson/richtech GitHub Wiki

#SELinux & Building Security Modules

Below is an example or strategy to continue to benefit from SELinux and support applications that do not have existing SELinux modules.

The example below demonstrates how to create a module for Phusion Passenger, but in practice it can be used for any application or service.

##SELinux Phusion Passenger module The process that follows can be used for creating a security module for SELinux. The example is derived from a past installation of a ruby on rails "Tracks" application utilizing MySQL, Apache, and Phusion Passenger. SELinux by default will prevent Passenger from functioning.

###Set Permissive Mode Resource:

http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-selinux.html

SELinux must be set to permissive mode versus disabled to log Phusion Passenger events. Update \etc\selinux\config:

$ sudo vi /etc/selinux/config

Update the SELINUX value to permissive

SELINUX = permissive

For this session set SELinux to permissive or reboot.

$ sudo setenforce 0

###Install Application Complete application and dependency installations and testing. Once satisfied everything is working as expected, restart host or services.

Restart Apache

$ sudo service httpd restart

###Generate SELinux Events Start using your application, Tracks. Make sure to do a variety of tasks to capture most or all the events needed to create the module.

###Build SELinux Module Walk through SELinux's log and generate the new SELinux policy module.

$ sudo grep httpd /var/log/audit/audit.log | audit2allow -M passenger

###Install SELinux Module Install newly created module

$ sudo semodule -i passenger.pp

###SELinux to Enforce Update SELinux to enforce

$ sudo vi /etc/selinux/config

Update the SELinux value to enforce

SELINUX = enforce

For this session set SELinux to enforce or reboot.

$ sudo setenforce 1

##Done In theory, you should have SELinux enforcing security policies and a working application. If not, review SELinux's log, /var/log/audit/audit.log.