1AUDIT2ALLOW(1) NSA AUDIT2ALLOW(1)
2
6 audit2allow - generate SELinux policy allow/dontaudit rules from logs
7 of denied operations
8 audit2why - translates SELinux audit messages into a description of why
10 the access was denied (audit2allow -w)
11
14 audit2allow [options]
15
17 -a | --all
18 Read input from audit and message log, conflicts with -i
19 -b | --boot
21 Read input from audit messages since last boot conflicts with -i
22 -d | --dmesg
24 Read input from output of /bin/dmesg. Note that all audit mes‐
25 sages are not available via dmesg when auditd is running; use
26 "ausearch -m avc | audit2allow" or "-a" instead.
27 -D | --dontaudit
29 Generate dontaudit rules (Default: allow)
30 -h | --help
32 Print a short usage message
33 -i <inputfile> | --input <inputfile>
35 read input from <inputfile>
36 -l | --lastreload
38 read input only after last policy reload
39 -m <modulename> | --module <modulename>
41 Generate module/require output <modulename>
42 -M <modulename>
44 Generate loadable module package, conflicts with -o
45 -p <policyfile> | --policy <policyfile>
47 Policy file to use for analysis
48 -o <outputfile> | --output <outputfile>
50 append output to <outputfile>
51 -r | --requires
53 Generate require output syntax for loadable modules.
54 -N | --noreference
56 Do not generate reference policy, traditional style allow rules.
57 This is the default behavior.
58 -R | --reference
60 Generate reference policy using installed macros. This attempts
61 to match denials against interfaces and may be inaccurate.
62 -x | --xperms
64 Generate extended permission access vector rules
65 -w | --why
67 Translates SELinux audit messages into a description of why the
68 access was denied
69 -v | --verbose
72 Turn on verbose output
73
76 This utility scans the logs for messages logged when the system denied
77 permission for operations, and generates a snippet of policy rules
78 which, if loaded into policy, might have allowed those operations to
79 succeed. However, this utility only generates Type Enforcement (TE)
80 allow rules. Certain permission denials may require other kinds of
81 policy changes, e.g. adding an attribute to a type declaration to sat‐
82 isfy an existing constraint, adding a role allow rule, or modifying a
83 constraint. The audit2why(8) utility may be used to diagnose the rea‐
84 son when it is unclear.
85 Care must be exercised while acting on the output of this utility to
87 ensure that the operations being permitted do not pose a security
88 threat. Often it is better to define new domains and/or types, or make
89 other structural changes to narrowly allow an optimal set of operations
90 to succeed, as opposed to blindly implementing the sometimes broad
91 changes recommended by this utility. Certain permission denials are
92 not fatal to the application, in which case it may be preferable to
93 simply suppress logging of the denial via a 'dontaudit' rule rather
94 than an 'allow' rule.
95
97 NOTE: These examples are for systems using the audit package. If you do
98 not use the audit package, the AVC messages will be in /var/log/messages.
99 Please substitute /var/log/messages for /var/log/audit/audit.log in the
100 examples.
101 Using audit2allow to generate module policy
103 $ cat /var/log/audit/audit.log | audit2allow -m local > local.te
105 $ cat local.te
106 module local 1.0;
107 require {
109 class file { getattr open read };
110 type myapp_t;
113 type etc_t;
114 };
115 allow myapp_t etc_t:file { getattr open read };
118 <review local.te and customize as desired>
119 Using audit2allow to generate module policy using reference policy
121 $ cat /var/log/audit/audit.log | audit2allow -R -m local > local.te
123 $ cat local.te
124 policy_module(local, 1.0)
125 gen_require(`
127 type myapp_t;
128 type etc_t;
129 };
130 files_read_etc_files(myapp_t)
132 <review local.te and customize as desired>
133 Building module policy using Makefile
135 # SELinux provides a policy devel environment under
137 # /usr/share/selinux/devel including all of the shipped
138 # interface files.
139 # You can create a te file and compile it by executing
140 $ make -f /usr/share/selinux/devel/Makefile local.pp
142 # This make command will compile a local.te file in the current
145 # directory. If you did not specify a "pp" file, the make file
146 # will compile all "te" files in the current directory. After
147 # you compile your te file into a "pp" file, you need to install
148 # it using the semodule command.
149 $ semodule -i local.pp
151 Building module policy manually
153 # Compile the module
155 $ checkmodule -M -m -o local.mod local.te
156 # Create the package
158 $ semodule_package -o local.pp -m local.mod
159 # Load the module into the kernel
161 $ semodule -i local.pp
162 Using audit2allow to generate and build module policy
164 $ cat /var/log/audit/audit.log | audit2allow -M local
166 Generating type enforcement file: local.te
167 Compiling policy: checkmodule -M -m -o local.mod local.te
169 Building package: semodule_package -o local.pp -m local.mod
170 ******************** IMPORTANT ***********************
172 In order to load this newly created policy package into the kernel,
174 you are required to execute
175 semodule -i local.pp
177 Using audit2allow to generate monolithic (non-module) policy
179 $ cd /etc/selinux/$SELINUXTYPE/src/policy
181 $ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
182 $ cat domains/misc/local.te
183 allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
184 <review domains/misc/local.te and customize as desired>
185 $ make load
186
189 This manual page was written by Manoj Srivastava <srivasta@debian.org>,
190 for the Debian GNU/Linux system. It was updated by Dan Walsh
191 <dwalsh@redhat.com>
192 The audit2allow utility has contributions from several people, includ‐
194 ing Justin R. Smith and Yuichi Nakamura. and Dan Walsh
195Security Enhanced Linux October 2010 AUDIT2ALLOW(1)