Merge SELinux policy files
This script accepts SELinux rulesets via STDIN (e.g. the output of audit2allow) and by reading an existing policy file. It merges, deduplicates and sorts the two inputs to produce an output policy which contains the contents of both sources.
-i|--input Read an existing SELinux policy file.
-o|--output Write the resulting merged policy to a file. Defaults to STDOUT.
-v|--version Override the module number given to the resulting merged policy. Defaults to incrementing whatever version number is fed in from file, then stdin.
-n|--name Override the module name given to the resulting merged policy. Defaults to whatever name is fed in from file, then stdin.
-h|--help Print this message
semerge is a Perl script and should be portable to pretty much any POSIX system. It requires the Getopt::Long module which is available from CPAN and probably your distribution's package manager.
"Installing" from git is trivial:
git clone git@github.com:djjudas21/semerge.git
sudo ln -s semerge/semerge.pl /usr/local/bin/semerge
Update your cloned copy by running git pull once in a while.
semerge -i existingpolicy.pp -o existingpolicy.pp
# or
cat existingpolicy.pp | semerge > existingpolicy.pp
Deduplicates and alphabetises existingpolicy.pp
cat /var/log/audit/audit.log | audit2allow | semerge -i existingpolicy.pp -o newpolicy.pp
Create newpolicy.pp which merges new rules from audit2allow into existingpolicy.pp
cat /var/log/audit/audit.log | audit2allow | semerge -i existingpolicy.pp -o existingpolicy.pp
Update existingpolicy.pp with new rules from audit2allow