SELinux/Tutorials/Using gentoo selocal for small policy enhancements

Using Gentoo selocal for small policy enhancements
In a previous tutorial, we explained how to create your own policy module. However, when you want to make small changes here and there, this might seem like too much overhead. To allow for small changes to be made to the policy, Gentoo introduced the selocal command which manages a local policy module (called "selocal") where you can add and remove SELinux policy rules to.

Using selocal
As the name implies, selocal aims to provide an interface for handling local policy updates that do not need to be packaged or distributed otherwise. It is a command-line application that you feed single policy rules at one at a time. Each rule can be accompanied with a single-line comment, making it obvious for the user to know why he added the rule in the first place.

Let’s say that you need to launch a small script you written as a daemon, but you want this to run while you are still in the staff_t domain (it is a user-sided daemon you use personally). As regular staff_t isn’t allowed to have processes bind on generic ports/nodes, you need to enhance the SELinux policy a bit. With selocal, you can do so as follows:

When finished, the local policy is enhanced with the two mentioned rules. You can query which rules are currently stored in the policy:

If you need to delete a rule, just pass the line number:

Having this tool around also makes it easier to test out changes suggested through bugreports as well.

Underlyingly, selocal creates and maintains the necessary policy file in ~/.selocal and by default uses the selocal policy module name.

What you need to remember
What you should remember from this tutorial is that
 * Gentoo provides a selocal script to easily manage small enhancements
 * The selocal script by default manages the selocal policy module