Chapter 8. Customizing and Writing Policy


The commands and steps covered in this chapter may render your system inoperable or unable to be supported.

Nothing in this chapter should be performed on a production system without having been thoroughly tested in a development or sandbox environment first.

If you are going to compile and install a custom policy, be prepared to take the actions you need to safeguard your data and installation. Proper backup procedures, change reversal plans, and an informed methodology are key to your success.

This chapter discusses troubleshooting and customizing your SELinux policy and presents a methodology for writing policy. Specific cautions are discussed.


Presenting a comprehensive guide to writing policy is not within the scope for this book. For more information on writing policy, refer to the resources in Chapter 9 References.

For this reason, the policy writing guidelines presented here are generic. Generic ideas are easier to apply to your unique environment.

If the resources and general methodologies are not sufficient for your policy writing needs, contact Red Hat support or sales for information about policy writing services.

8.1. General Policy Troubleshooting Guidelines

When troubleshooting, use the kernel boot parameter selinux=0 as a last resort. If using setenforce during runtime is not sufficient, try booting with enforcing=0 to switch to permissive mode. You still have SELinux checking enabled and avc: denied messages logged to $AUDIT_LOG, but the enforcing is disabled.

By troubleshooting with SELinux enabled, you can more easily identify and resolve problems. For example, if SELinux is fully disabled, the -Z option is not available for finding the security context of objects. You are not able to relabel a file or the file system with SELinux disabled. Finally, any new files or directories you create have no SELinux security attributes, causing more problems when you boot into SELinux.

Save selinux=0 and SELINUX=disabled in /etc/sysconfig/selinux/ for longer-term disabling.