从日志告警中生成selinix策略规则模块my-ping
[centos7.9]#ausearch -c 'ping' --raw | audit2allow -M my-ping
修改规则内容
[centos7.9]#vim my-ping.te
module my-ping 1.0;
require {
type httpd_t;
class capability net_raw;
class rawip_socket {create getopt setopt bind write read};
}
#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket {create getopt setopt bind write read};
删除命令生成的pp文件
[centos7.9]#rm –f my-ping.pp
生成selinux策略模块my-ping.mod
[centos7.9]#checkmodule -M -m -o my-ping.mod my-ping.te
降级策略模块为策略规则模块
[centos7.9]#semodule_package -o my-ping.pp -m my-ping.mod
安装策略规则模块
[centos7.9]#semodule -i my-ping.pp