This is a quick howto on creating a custom SELinux rule to allow transition from one file-context to another.
In this example I will allow the init script of php5-fpm to transition from initrc_t to httpd_php_t.
This is the file context of the init script:
The init script will execute php5-fpm, which has the following file context:
Right now, if I run the init script to launch php5-fpm, the process will end up with the following context:
system_u:system_r:initrc_t:s0 23182 ? Ss 0:00 php-fpm: master process
As you can see, the process is not transitioning properly to the correct context which is httpd_php_t.
In order to allow the transition, we must create a selinux module.
Create a new file (you may use a different name, just end it with .te) /etc/selinux/httpd_php.te, then fill it with the following content:
class file entrypoint;
class process transition;
type_transition initrc_t httpd_php_exec_t :process httpd_php_t;
allow httpd_php_t httpd_php_exec_t :file entrypoint;
allow initrc_t httpd_php_t :process transition;
Now, run the following commands to generate the selinux module (remember to use the correct filename if you changed it):
checkmodule -M -m /etc/selinux/httpd_php.te -o /etc/selinux/httpd_php.mod
semodule_package -o /etc/selinux/httpd_php.pp -m /etc/selinux/httpd_php.mod
semodule -i /etc/selinux/httpd_php.pp
Thats it, now you can restart php5-fpm and the process should transition properly:
system_u:system_r:httpd_php_t:s0 23182 ? Ss 0:00 php-fpm: master process