Creating selinux policies for custom setup

There is a big problem with selinux when something configured to work in non standard way.

For me, it was the case with custom dovecot setup when fusefs_t goes inside of user_home_t context. The solution, i think, works well even for another problems, it is a standard way to create custom policies.

After make sure the problem is exactly with selinux policies, lets check the audit.log for corresponding messages.

sealert -a /var/log/audit/audit.log  

This command will output the problems, rejections selinux made. Make sure it contains only expected activity. Then, would be good idea make permissive policy for the process, because selinux will block every next step else.

semanage permissive -a dovecot_t  

As you can see it set permissive mode for dovecot_t domain.
Next step is generate a new alerts for audit.log, i'll simple retrieve new mails, use sieve filters and so on. When i feel everything been checked, lets create and apply custom policy based on that activity.

Lets generate policy:

audit2allow -a -M dovecot  

This command will create dovecot.pp file which contains our new dovecot policies.
Now it is tyme to apply this policy.

semodule -i dovecot.pp  

The command above can take some time, applying new policies is not the fastest task, especially on very slow system.

So, now we can remove dovecot_t domain from permissive list.

semanage permissive -d dovecot_t  

To be sure we can check the permissive list does not contains the domain

semanage permissive -l | grep dovecot_t  

If there is another problems, or selinux block something else, this steps can be repeated :)