I recently ran into a situation where I needed to grant access to certain /home dirs in order to get puppetmaster started with SELinux enforcing. And I had to do it in such a way that I could keep the resulting “type enforcement” (.te) file in version control, this would allow me to track human readable changes.


$ -> cd ~

$ -> echo > /var/log/audit/audit.log # this ensures a clean log for analysis

$ -> /etc/init.d/puppetmaster start # should fail

$ -> audit2allow -i /var/log/audit/audit.log -m puppetmaster # this will output the perms necessary for puppetmaster to access needed resources, copy and paste this into the file you are using in version control

$ -> checkmodule -M -m -o puppetmaster.mod /path/to/your/version/controlled/puppetmaster.te # this will create a .mod file 

$ -> semodule_package -m puppetmaster.mod -o puppetmaster.pp # this will create a compiled semodule

$ -> semodule -i puppetmaster.pp # this will install the module

At this point, you have added a custom puppetmaster selinux module which will allow you to get through the first issue discovered when trying to start the service. From here there are one of two course of action, depending on whether the service starts or not. If the service starts, you are done. If the service does not start, you will need to repeat the above steps to determine which new permissions are required to allow the service to start, rinse and repeat until your service starts.