HowTo: Appfirst with SELinux enabled

Ok, first off, I hate people that say "turn off SELinux"... man, those idiots might as well tell you to turn off your firewall and open up your servers to the world.

This sounds like a nice gesture but, in today's internet, it's a shortcut to online suicide.

Anyway, here's a mini-howto on how to generate your appfirst policy. This might require that you do it yourself since you might have different plugins/modules/whatever configured.

Anyway, here it goes:

# install the nice tools you need
su -
yum install -y setools-console policycoreutils-python

# remove the selinux_chk from /etc/init.d/afcollector.

# clean your audit.log
cat /dev/null > /var/log/audit/audit.log

# start app first while selinux is active
service afcollector start

# wait for it to start and generate a few selinux warnings (and get denied)

# now, set enforce off
setenforce 0

# generate a good policy
cat /var/log/audit/audit.log | audit2allow -M appfirst

# activate it
semodule -i appfirst.pp

# set selinux up again
setenforce 1

# check for errors
seaudit-report /var/log/audit/audit.log

# done!

You can copy your appfirst.pp to all your servers. It's untested but it has worked fine so far for me! ;)

I got this file. Please, comment on it.

# cat appfirst.te
module appfirst 1.0;

require {
type unconfined_t;
type initrc_state_t;
type consoletype_t;
type proc_t;
type user_tmpfs_t;
type systemd_passwd_agent_t;
class process execmem;
class shm { write unix_read getattr unix_write associate read };
class file { write getattr read open };

#============= consoletype_t ==============
allow consoletype_t initrc_state_t:file read;

#============= systemd_passwd_agent_t ==============
allow systemd_passwd_agent_t initrc_state_t:file { read getattr open };
allow systemd_passwd_agent_t proc_t:file { read getattr open };
allow systemd_passwd_agent_t self:process execmem;
allow systemd_passwd_agent_t unconfined_t:shm { write unix_read getattr unix_write associate read };
allow systemd_passwd_agent_t user_tmpfs_t:file { read write };

-- end of file; don't copy this --

p.s. never turn off SELinux; that's major idiot's way!