1AUDIT2ALLOW(1)                        NSA                       AUDIT2ALLOW(1)
2
3
4

NAME

6       audit2allow  -  generate SELinux policy allow/dontaudit rules from logs
7       of denied operations
8
9       audit2why - translates SELinux audit messages into a description of why
10       the access was denied (audit2allow -w)
11
12

SYNOPSIS

14       audit2allow [options]
15

OPTIONS

17       -a | --all
18              Read input from audit and message log, conflicts with -i
19
20       -b | --boot
21              Read input from audit messages since last boot conflicts with -i
22
23       -d | --dmesg
24              Read  input from output of /bin/dmesg.  Note that all audit mes‐
25              sages are not available via dmesg when auditd  is  running;  use
26              "ausearch -m avc | audit2allow"  or "-a" instead.
27
28       -D | --dontaudit
29              Generate dontaudit rules (Default: allow)
30
31       -h | --help
32              Print a short usage message
33
34       -i  <inputfile> | --input <inputfile>
35              read input from <inputfile>
36
37       -l | --lastreload
38              read input only after last policy reload
39
40       -m <modulename> | --module <modulename>
41              Generate module/require output <modulename>
42
43       -M <modulename>
44              Generate loadable module package, conflicts with -o
45
46       -p <policyfile> | --policy <policyfile>
47              Policy file to use for analysis
48
49       -o <outputfile> | --output <outputfile>
50              append output to <outputfile>
51
52       -r | --requires
53              Generate require output syntax for loadable modules.
54
55       -N | --noreference
56              Do not generate reference policy, traditional style allow rules.
57              This is the default behavior.
58
59       -R | --reference
60              Generate reference policy using installed macros.  This attempts
61              to match denials against interfaces and may be inaccurate.
62
63       -w | --why
64              Translates  SELinux audit messages into a description of why the
65              access was denied
66
67
68       -v | --verbose
69              Turn on verbose output
70
71

DESCRIPTION

73       This utility scans the logs for messages logged when the system  denied
74       permission  for  operations,  and  generates  a snippet of policy rules
75       which, if loaded into policy, might have allowed  those  operations  to
76       succeed.  However,  this  utility  only generates Type Enforcement (TE)
77       allow rules.  Certain permission denials may  require  other  kinds  of
78       policy  changes, e.g. adding an attribute to a type declaration to sat‐
79       isfy an existing constraint, adding a role allow rule, or  modifying  a
80       constraint.   The audit2why(8) utility may be used to diagnose the rea‐
81       son when it is unclear.
82
83       Care must be exercised while acting on the output of  this  utility  to
84       ensure  that  the  operations  being  permitted  do not pose a security
85       threat. Often it is better to define new domains and/or types, or  make
86       other structural changes to narrowly allow an optimal set of operations
87       to succeed, as opposed to  blindly  implementing  the  sometimes  broad
88       changes  recommended  by this utility.   Certain permission denials are
89       not fatal to the application, in which case it  may  be  preferable  to
90       simply  suppress  logging  of  the denial via a 'dontaudit' rule rather
91       than an 'allow' rule.
92

EXAMPLE

94       NOTE: These examples are for systems using the audit package. If you do
95       not use the audit package, the AVC messages will be in /var/log/messages.
96       Please substitute /var/log/messages for /var/log/audit/audit.log in the
97       examples.
98
99       Using audit2allow to generate monolithic (non-module) policy
100       $ cd /etc/selinux/$SELINUXTYPE/src/policy
101       $ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
102       $ cat domains/misc/local.te
103       allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
104       <review domains/misc/local.te and customize as desired>
105       $ make load
106
107       Using audit2allow to generate module policy
108
109       $ cat /var/log/audit/audit.log | audit2allow -m local > local.te
110       $ cat local.te
111       module local 1.0;
112
113       require {
114               role system_r;
115
116
117               class fifo_file {  getattr ioctl };
118
119
120               type cupsd_config_t;
121               type unconfined_t;
122        };
123
124
125       allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
126       <review local.te and customize as desired>
127
128       Building module policy manually
129
130       # Compile the module
131       $ checkmodule -M -m -o local.mod local.te
132       # Create the package
133       $ semodule_package -o local.pp -m local.mod
134       # Load the module into the kernel
135       $ semodule -i local.pp
136
137       Using audit2allow to generate and build module policy
138       $ cat /var/log/audit/audit.log | audit2allow -M local
139       Generating type enforcment file: local.te
140       Compiling policy: checkmodule -M -m -o local.mod local.te
141       Building package: semodule_package -o local.pp -m local.mod
142
143       ******************** IMPORTANT ***********************
144
145       In order to load this newly created policy package into the kernel,
146       you are required to execute
147
148       semodule -i local.pp
149
150

AUTHOR

152       This manual page was written by Manoj Srivastava <srivasta@debian.org>,
153       for   the  Debian  GNU/Linux  system.  It  was  updated  by  Dan  Walsh
154       <dwalsh@redhat.com>
155
156       The audit2allow utility has contributions from several people,  includ‐
157       ing Justin R. Smith and Yuichi Nakamura.  and Dan Walsh
158
159
160
161Security Enhanced Linux          January 2005                   AUDIT2ALLOW(1)