1AUDIT2ALLOW(1)                        NSA                       AUDIT2ALLOW(1)
2
3
4

NAME

6       audit2allow  -  generate SELinux policy allow/dontaudit rules from logs
7       of denied operations
8
9       audit2why - translates SELinux audit messages into a description of why
10       the access was denied (audit2allow -w)
11
12

SYNOPSIS

14       audit2allow [options]
15

OPTIONS

17       -a | --all
18              Read input from audit and message log, conflicts with -i
19
20       -b | --boot
21              Read input from audit messages since last boot conflicts with -i
22
23       -d | --dmesg
24              Read  input from output of /bin/dmesg.  Note that all audit mes‐
25              sages are not available via dmesg when auditd  is  running;  use
26              "ausearch -m avc | audit2allow"  or "-a" instead.
27
28       -D | --dontaudit
29              Generate dontaudit rules (Default: allow)
30
31       -h | --help
32              Print a short usage message
33
34       -i  <inputfile> | --input <inputfile>
35              read input from <inputfile>
36
37       -l | --lastreload
38              read input only after last policy reload
39
40       -m <modulename> | --module <modulename>
41              Generate module/require output <modulename>
42
43       -M <modulename>
44              Generate loadable module package, conflicts with -o
45
46       -p <policyfile> | --policy <policyfile>
47              Policy file to use for analysis
48
49       -o <outputfile> | --output <outputfile>
50              append output to <outputfile>
51
52       -r | --requires
53              Generate require output syntax for loadable modules.
54
55       -N | --noreference
56              Do not generate reference policy, traditional style allow rules.
57              This is the default behavior.
58
59       -R | --reference
60              Generate reference policy using installed macros.  This attempts
61              to match denials against interfaces and may be inaccurate.
62
63       -w | --why
64              Translates  SELinux audit messages into a description of why the
65              access was denied
66
67
68       -v | --verbose
69              Turn on verbose output
70
71

DESCRIPTION

73       This utility scans the logs for messages logged when the system  denied
74       permission  for  operations,  and  generates  a snippet of policy rules
75       which, if loaded into policy, might have allowed  those  operations  to
76       succeed.  However,  this  utility  only generates Type Enforcement (TE)
77       allow rules.  Certain permission denials may  require  other  kinds  of
78       policy  changes, e.g. adding an attribute to a type declaration to sat‐
79       isfy an existing constraint, adding a role allow rule, or  modifying  a
80       constraint.   The audit2why(8) utility may be used to diagnose the rea‐
81       son when it is unclear.
82
83       Care must be exercised while acting on the output of  this  utility  to
84       ensure  that  the  operations  being  permitted  do not pose a security
85       threat. Often it is better to define new domains and/or types, or  make
86       other structural changes to narrowly allow an optimal set of operations
87       to succeed, as opposed to  blindly  implementing  the  sometimes  broad
88       changes  recommended  by this utility.   Certain permission denials are
89       not fatal to the application, in which case it  may  be  preferable  to
90       simply  suppress  logging  of  the denial via a 'dontaudit' rule rather
91       than an 'allow' rule.
92

EXAMPLE

94       NOTE: These examples are for systems using the audit package. If you do
95       not use the audit package, the AVC messages will be in /var/log/messages.
96       Please substitute /var/log/messages for /var/log/audit/audit.log in the
97       examples.
98
99       Using audit2allow to generate module policy
100
101       $ cat /var/log/audit/audit.log | audit2allow -m local > local.te
102       $ cat local.te
103       module local 1.0;
104
105       require {
106               class file {  getattr open read };
107
108
109               type myapp_t;
110               type etc_t;
111        };
112
113
114       allow myapp_t etc_t:file { getattr open read };
115       <review local.te and customize as desired>
116
117       Using audit2allow to generate module policy using reference policy
118
119       $ cat /var/log/audit/audit.log | audit2allow -R -m local > local.te
120       $ cat local.te
121       policy_module(local, 1.0)
122
123       gen_require(`
124               type myapp_t;
125               type etc_t;
126        };
127
128       files_read_etc_files(myapp_t)
129       <review local.te and customize as desired>
130
131       Building module policy using Makefile
132
133       # SELinux provides a policy devel environment under
134       # /usr/share/selinux/devel including all of the shipped
135       # interface files.
136       # You can create a te file and compile it by executing
137
138       $ make -f /usr/share/selinux/devel/Makefile local.pp
139
140
141       # This make command will compile a local.te file in the current
142       # directory. If you did not specify a "pp" file, the make file
143       # will compile all "te" files in the current directory.  After
144       # you compile your te file into a "pp" file, you need to install
145       # it using the semodule command.
146
147       $ semodule -i local.pp
148
149       Building module policy manually
150
151       # Compile the module
152       $ checkmodule -M -m -o local.mod local.te
153
154       # Create the package
155       $ semodule_package -o local.pp -m local.mod
156
157       # Load the module into the kernel
158       $ semodule -i local.pp
159
160       Using audit2allow to generate and build module policy
161
162       $ cat /var/log/audit/audit.log | audit2allow -M local
163       Generating type enforcement file: local.te
164
165       Compiling policy: checkmodule -M -m -o local.mod local.te
166       Building package: semodule_package -o local.pp -m local.mod
167
168       ******************** IMPORTANT ***********************
169
170       In order to load this newly created policy package into the kernel,
171       you are required to execute
172
173       semodule -i local.pp
174
175       Using audit2allow to generate monolithic (non-module) policy
176
177       $ cd /etc/selinux/$SELINUXTYPE/src/policy
178       $ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
179       $ cat domains/misc/local.te
180       allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
181       <review domains/misc/local.te and customize as desired>
182       $ make load
183
184

AUTHOR

186       This manual page was written by Manoj Srivastava <srivasta@debian.org>,
187       for   the  Debian  GNU/Linux  system.  It  was  updated  by  Dan  Walsh
188       <dwalsh@redhat.com>
189
190       The audit2allow utility has contributions from several people,  includ‐
191       ing Justin R. Smith and Yuichi Nakamura.  and Dan Walsh
192
193
194
195Security Enhanced Linux          October 2010                   AUDIT2ALLOW(1)
Impressum