A new SELinux feature which makes local SELinux policy adjustments much easier was not easy to notice among all the complaints that SELinux is hard to use.
The audit2allow tool should be well-known by now:
given a snippet of the audit log, it outputs policy rules to allow all operations that are are currently prohibited.
The user is expected to add the rules to the (large) policy, recompile the policy and load it.
Finding the “right” place in the policy is not always obvious, though, and a future update of the selinux-policy
package might overwrite the modifications.
Now there is an alternative, very convenient especially when trying to extend the policy to handle a new daemon: Run
audit2allow -Mmodulename-iauditlogfile
This will create a binary loadable module modulename.pp that can be quickly loaded by
semodule -imodulename.pp
or unloaded using
semodule -rmodulename
The audit2allow command also creates modulename.te, a plain-text representation of the module,
which can be edited and compiled to create a changed binary loadable module, or used as a basis for
patches to the default SELinux policy.