Creating a simple SE Linux policy module is not difficult.
audit(1173571340.836:12855): avc: denied { execute } for pid=5678 comm=”spf-policy.pl” name=”hostname” dev=hda ino=1234 scontext=root:system_r:postfix_master_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
For example I had a server with the above messages in the kernel message log from the spf-policy program (run from Postfix) trying to run the “hostnme” program. So I ran the following command to generate a .te file (SE Linux policy source):
dmesg|grep spf.policy|audit2allow -m local > local.te
The -m option to audit2allow instructs it to create a policy module. The local.te file is below:
module local 1.0;
require {
class file execute;
type hostname_exec_t;
type postfix_master_t;
role system_r;
};
allow postfix_master_t hostname_exec_t:file execute;
Then I used the following commands to create a policy module and package it:
checkmodule -M -m -o local.mod local.te semodule_package -o local.pp -m local.mod
The result was the object file local.pp and in intermediate file local.mod (which incidentally can be removed once the build is finished).
After creating the module I used the following command to link it with the running policy and load it into the kernel:
semodule -i ./local.pp