Build selinux policy from AVC denials in audit.log

Assumes you have run something like the following

setenforce 0 && rm -f /var/log/audit/audit.log && touch /var/log/audit/audit.log && service auditd stop && service auditd start

Then recreated the avc denials (i.e systemctl restart haproxy if haproxy listens on an unusual port, curl http://localhost/example.php if your SQL database is a remote target etc)

cat /var/log/audit/audit.log | audit2allow -M local && semodule -i local.pp && setenforce 1

Then you should be able to repeat process 2 without avc denials. Edge cases might occur beyond simply restarting the daemon though so its worth simulating a workload for a few seconds in case some arbritrary subroutine causes a denial: example HAProxy logging to a NFS target = avc denial about 5 seconds after the restart.

Certainly less clumsy ways of doing it but this works well for my use case of short lived, usually single function VMs used for elastic scaling different worker pools on a large video sharing site. Very decent audit2allow tutorial here.