Monthly Archives: August 2016
Merging SELinux policies
We make extensive use of SELinux on all our systems. We manage SELinux config and policy with the jfryman/selinux Puppet module, which means we store SELinux policies in plain text .te
format – the same format that audit2allow
generates them in.
One of our SELinux policies that covers permissions for NRPE is a large file. When we generate new rules (e.g. for new Nagios plugins) with audit2allow
it’s a tedious process to merge the new rules in by hand and mistakes are easy to make.
So I wrote semerge
– a tool to merge SELinux policy files with the ability to mix and match stdin/stdout and reading/writing files.
This example accepts input from audit2allow
and merges the new rules into an existing policy:
cat /var/log/audit/audit.log | audit2allow | semerge -i existingpolicy.pp -o existingpolicy.pp
And this example deduplicates and alphabetises an existing policy:
semerge -i existingpolicy.pp -o existingpolicy.pp
There are probably bugs so please do let me know if you find it useful and log an issue if you run into problems.