In this tutorial I will show you how can easy learn with a simple example to have a better Fedora distro with SELinux.
SELinux uses a policy store to keep track of its loaded policy modules and related settings.
You can see my active policy store name is MLS.
[root@desk mythcat]# sestatus | grep Loaded
Loaded policy name: mls
I want to create policy in the most easy way to denny memory.
I can use many way to do that or find it on SELinux.
If you want to deny user domains applications to map a memory region as both executable and writable you can use deny_execmem.
This is dangerous and the executable should be reported in bugzilla and is is enabled by default.
You must turn on the deny_execmem boolean.
setsebool -P deny_execmem 1
Let's use it:
[root@desk mythcat]# setsebool -P deny_execmem 1
[root@desk mythcat]# ausearch -c 'Web Content' --raw | audit2allow -M my-WebContent
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-WebContent.pp
[root@desk mythcat]# semodule -X 300 -i my-WebContent.pp
Let's see if this SELinux is currently loaded:
[root@desk mythcat]# semodule -l | grep Web
my-WebContent