A while ago, Jonathan wrote a really useful post about how to use SELinux – it’s useful, and I tend to refer to it every time I need to build an SELinux policy to get something working.
However, yesterday I hit a wrinkle not covered in that post. I was working on a nagios plugin which didn’t work when run by nrpe. It worked from the command line, and worked via nrpe with SELinux disabled (which pointed the finger neatly at SELinux) but it didn’t leave any traces in the audit log, which makes building a policy difficult!
It seems that the default policies in CentOS include a list of “don’t audit” rules, which silently block some types of behaviour. The intention is to keep a lot of common noise out of the audit log, but that doesn’t help you much when you’re trying to build a policy!
Luckily you can turn that behaviour on and off.
# Turn it off: sudo semodule --disable_dontaudit --build sudo setenforce 0 # Turn it back on: sudo semodule --build sudo setenforce 1
With dontaudit disabled, I got the information I needed in the audit log and was able to successfully build a policy that made my nagios check work.