audit2allow(1)

1AUDIT2ALLOW(1)                        NSA                       AUDIT2ALLOW(1)
2
3
4

NAME

6       audit2allow  -  generate SELinux policy allow rules from logs of denied
7       operations
8

SYNOPSIS

10       audit2allow [options]
11

OPTIONS

13       -a | --all
14              Read input from audit and message log, conflicts with -i
15
16       -d | --dmesg
17              Read input from output of /bin/dmesg.  Note that all audit  mes‐
18              sages  are  not  available via dmesg when auditd is running; use
19              "ausearch -m avc | audit2allow"  or "-a" instead.
20
21       -f | --fcfile <File Context File>
22              Add File Context File to generated Module Package.  Requires  -M
23              option.
24
25       -h | --help
26              Print a short usage message
27
28       -i  <inputfile> | --input <inputfile>
29              read input from <inputfile>
30
31       -l | --lastreload
32              read input only after last policy reload
33
34       -m <modulename> | --module <modulename>
35              Generate module/require output <modulename>
36
37       -M <modulename>
38              Generate loadable module package, conflicts with -o
39
40       -o <outputfile> | --output <outputfile>
41              append output to <outputfile>
42
43       -r | --requires
44              Generate require output syntax for loadable modules.
45
46       -R | --reference
47              Generate  reference policy using installed macros.  Requires the
48              selinux-policy-devel package.
49
50       -t  | --tefile
51              Indicates input file is a te (type enforcement) file.  This  can
52              be used to translate old te format to new policy format.
53
54       -v | --verbose
55              Turn on verbose output
56
57

DESCRIPTION

59       This  utility scans the logs for messages logged when the system denied
60       permission for operations, and generates  a  snippet  of  policy  rules
61       which,  if  loaded  into policy, might have allowed those operations to
62       succeed. However, this utility only  generates  Type  Enforcement  (TE)
63       allow  rules.   Certain  permission  denials may require other kinds of
64       policy changes, e.g. adding an attribute to a type declaration to  sat‐
65       isfy  an  existing constraint, adding a role allow rule, or modifying a
66       constraint.  The audit2why(8) utility may be used to diagnose the  rea‐
67       son when it is unclear.
68
69       Care  must  be  exercised while acting on the output of this utility to
70       ensure that the operations being  permitted  do  not  pose  a  security
71       threat.  Often it is better to define new domains and/or types, or make
72       other structural changes to narrowly allow an optimal set of operations
73       to  succeed,  as  opposed  to  blindly implementing the sometimes broad
74       changes recommended by this utility.   Certain permission  denials  are
75       not  fatal  to  the  application, in which case it may be preferable to
76       simply suppress logging of the denial via  a  'dontaudit'  rule  rather
77       than an 'allow' rule.
78

EXAMPLE

80       NOTE: These examples are for systems using the audit package. If you do
81       not use the audit package, the AVC messages will be in /var/log/messages.
82       Please substitute /var/log/messages for /var/log/audit/audit.log in the
83       examples.
84
85       Using audit2allow to generate monolithic (non-module) policy
86       $ cd /etc/selinux/$SELINUXTYPE/src/policy
87       $ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
88       $ cat domains/misc/local.te
89       allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
90       <review domains/misc/local.te and customize as desired>
91       $ make load
92
93       Using audit2allow to generate module policy
94
95       $ cat /var/log/audit/audit.log | audit2allow -m local > local.te
96       $ cat local.te
97       module local 1.0;
98
99       require {
100               role system_r;
101
102
103               class fifo_file {  getattr ioctl };
104
105
106               type cupsd_config_t;
107               type unconfined_t;
108        };
109
110
111       allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
112       <review local.te and customize as desired>
113
114       Building module policy manually
115
116       # Compile the module
117       $ checkmodule -M -m -o local.mod local.te
118       # Create the package
119       $ semodule_package -o local.pp -m local.mod
120       # Load the module into the kernel
121       $ semodule -i local.pp
122
123       Using audit2allow to generate and build module policy
124       $ cat /var/log/audit/audit.log | audit2allow -M local
125       Generating type enforcment file: local.te
126       Compiling policy: checkmodule -M -m -o local.mod local.te
127       Building package: semodule_package -o local.pp -m local.mod
128
129       ******************** IMPORTANT ***********************
130
131       In order to load this newly created policy package into the kernel,
132       you are required to execute
133
134       semodule -i local.pp
135
136

AUTHOR

138       This manual page was written by Manoj Srivastava <srivasta@debian.org>,
139       for  the  Debian  GNU/Linux  system.  It  was  updated  by  Dan   Walsh
140       <dwalsh@redhat.com>
141
142       The  audit2allow utility has contributions from several people, includ‐
143       ing Justin R. Smith and Yuichi Nakamura.  and Dan Walsh
144
145
146
147Security Enhanced Linux          January 2005                   AUDIT2ALLOW(1)