Monthly Archives: August 2016
Merging SELinux policies
We make extensive use of SELinux on all our systems. We manage SELinux config and policy with the jfryman/selinux Puppet module, which means we store SELinux policies in plain text
.te format – the same format that
audit2allow generates them in.
One of our SELinux policies that covers permissions for NRPE is a large file. When we generate new rules (e.g. for new Nagios plugins) with
audit2allow it’s a tedious process to merge the new rules in by hand and mistakes are easy to make.
So I wrote
semerge – a tool to merge SELinux policy files with the ability to mix and match stdin/stdout and reading/writing files.
This example accepts input from
audit2allow and merges the new rules into an existing policy:
cat /var/log/audit/audit.log | audit2allow | semerge -i existingpolicy.pp -o existingpolicy.pp
And this example deduplicates and alphabetises an existing policy:
semerge -i existingpolicy.pp -o existingpolicy.pp
There are probably bugs so please do let me know if you find it useful and log an issue if you run into problems.