Creating Custom SELinux Policy Modules

This article will walk you through the process of creating custom SELinux policy modules. This is often needed for DRBD Proxy or DRBD® when upstream SELinux Policies are incomplete or missing.

You’ll need some utilities that might not be standard on your installation:

# yum install policycoreutils-python

Be sure you’re up against SELinux policies in the first place by running the following command while trying to do whatever DRBD operation is not working:

# tail -F /var/log/audit/audit.log | grep drbd_t

You would see log entries like this:

type=AVC msg=audit(1423259804.313:913): avc: denied { sys_admin } for pid=7681 comm=drbdsetup-84 capability=21 scontext=system_u:system_r:drbd_t:s0 tcontext=system_u:system_r:drbd_t:s0 tclass=capability
type=SYSCALL msg=audit(1423259804.313:913): arch=c000003e syscall=1 success=yes exit=40 a0=2 a1=252f080 a2=28 a3=7fffd393cd70 items=0 ppid=7677 pid=7681 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=drbdsetup-84 exe=/usr/lib/drbd/drbdsetup-84 subj=system_u:system_r:drbd_t:s0 key=(null)

These entries can be used to create custom policies using the audit2allow command:

# grep drbd_t /var/log/audit/audit.log | audit2allow -M drbdlocal

Then load the policy into the running rules:

# semodule -i drbdlocal.pp

After that, you should no longer see the same operations being denied in the audit.log, however, sometimes getting past one issue leads to another. Repeat the last two steps until you no longer see messages in audit.log and you’ll be left with a single drbdlocal.pp that includes all relevant SELinux rules, which you can then copy and use with other similar systems.

Reviewed 2021/01/11 – DJV