A Linux web server has SELinux set to enforcing, and every time Apache (httpd_t) tries to write to a new cache directory you see AVC denials such as:
avc: denied { write } for pid=2154 comm="httpd" ... tclass=dir
After reviewing the log you decide the access is legitimate and should be permitted without relaxing SELinux enforcement. Which of the following command sequences will create a loadable local policy module and immediately install it so the new rule survives a reboot?
The only sequence that both builds and loads a custom SELinux policy module is the one that pipes the denial messages into audit2allow with the -M option and then installs the resulting package with semodule -i.
audit2allow -M compiles the AVCs into a Type Enforcement file, then automatically calls checkmodule and semodule_package to create modulename.pp.
semodule -i modulename.pp loads that package into the active policy, making the change persistent across reboots.
Running audit2allow without -M (or omitting semodule -i) only prints rules-it does not alter policy. Switching the system to permissive mode or adding the httpd_t domain to the permissive list stops the denials but weakens security, while restorecon merely resets file contexts and does nothing for domain-based denials.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does the 'audit2allow -M' command do?
Open an interactive chat with Bash
Why is 'semodule -i' necessary after generating a module?
Open an interactive chat with Bash
How does 'restorecon' differ from creating a policy module?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access