I think you may be going about this the hard way. Are you using the setroubleshoot packages? setroubleshoot.x86_64 setroubleshoot-plugins.noarch setroubleshoot-server.x86_64 They provide sealert and some other tools for analyzing AVCs and writing local policies. The original policy module doesn't need to be replaced. It can just be augmented. When I need to write or add to a policy, I put selinux in permissive mode, make note of the time, run the program and exercise it. Then I put selinux back in enforcing mode. Then I run: ausearch -ts 01/06/2025 09:53:57 --raw | audit2allow -M my-moduleName Substitute your date and time for above. The module name just needs to be something you recognize. I always preface the package with "my-" so I can search on my policy modules. The command will produce a te file and a pp file. You install the my-moduleName.pp file using: semodule -X 300 -i my-moduleName.pp Your new policy is now installed and selinux is using it. -- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
