How can I make SELinux allow access to a file?

Question

I have a proprietary piece of software my company owns that needs access to a root-level file. We'll call it /secfile as it is security/license related. The system runs a daemon that writes out updated information to /secfile. This daemon, if prevented from updating /secfile, invalidates the license in question because it assumes foul play.

How can I force SELinux to allow the daemon, which resides at /bin/secdaemon, access to /secfile?

The only other application that needs access (which is currently not restricted) to /secfile is /usr/bin/licensemanager.

score 15 · Accepted Answer · answered Oct 19 '15 at 17:48

Well, the easiest way is disabling SELinux, which I don't recommend, though:

setenforce 0

Or you can create a rule to allow it to write, run or whatever it needs to do and is being blocked so far. To do so, check your system log file and copy the line that is "denied", it should be something like this:

audit(...): avc:  denied  { write } for  pid=27984 comm="httpd" name="httpd" dev=sda6 ino=307469 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=...

Copy it and run the following command:

audit2allow -M local << _EOF_
(paste the content)
_EOF_

Then, run:

semodule -i local.pp

That will create a permanent rule for it so you shouldn't need to disable SELinux.

How can I make SELinux allow access to a file?

1 Answers1