1AUDIT2ALLOW(1) NSA AUDIT2ALLOW(1)
2
3
4
6 audit2allow - generate SELinux policy allow/dontaudit rules from logs
7 of denied operations
8
9 audit2why - translates SELinux audit messages into a description of why
10 the access was denied (audit2allow -w)
11
12
14 audit2allow [options]
15
17 -a | --all
18 Read input from audit and message log, conflicts with -i
19
20 -b | --boot
21 Read input from audit messages since last boot conflicts with -i
22
23 -d | --dmesg
24 Read input from output of /bin/dmesg. Note that all audit mes‐
25 sages are not available via dmesg when auditd is running; use
26 "ausearch -m avc | audit2allow" or "-a" instead.
27
28 -D | --dontaudit
29 Generate dontaudit rules (Default: allow)
30
31 -h | --help
32 Print a short usage message
33
34 -i <inputfile> | --input <inputfile>
35 read input from <inputfile>
36
37 -l | --lastreload
38 read input only after last policy reload
39
40 -m <modulename> | --module <modulename>
41 Generate module/require output <modulename>
42
43 -M <modulename>
44 Generate loadable module package, conflicts with -o
45
46 -p <policyfile> | --policy <policyfile>
47 Policy file to use for analysis
48
49 -o <outputfile> | --output <outputfile>
50 append output to <outputfile>
51
52 -r | --requires
53 Generate require output syntax for loadable modules.
54
55 -N | --noreference
56 Do not generate reference policy, traditional style allow rules.
57 This is the default behavior.
58
59 -R | --reference
60 Generate reference policy using installed macros. This attempts
61 to match denials against interfaces and may be inaccurate.
62
63 -x | --xperms
64 Generate extended permission access vector rules
65
66 -w | --why
67 Translates SELinux audit messages into a description of why the
68 access was denied
69
70
71 -v | --verbose
72 Turn on verbose output
73
74
76 This utility scans the logs for messages logged when the system denied
77 permission for operations, and generates a snippet of policy rules
78 which, if loaded into policy, might have allowed those operations to
79 succeed. However, this utility only generates Type Enforcement (TE) al‐
80 low rules. Certain permission denials may require other kinds of pol‐
81 icy changes, e.g. adding an attribute to a type declaration to satisfy
82 an existing constraint, adding a role allow rule, or modifying a con‐
83 straint. The audit2why(8) utility may be used to diagnose the reason
84 when it is unclear.
85
86 Care must be exercised while acting on the output of this utility to
87 ensure that the operations being permitted do not pose a security
88 threat. Often it is better to define new domains and/or types, or make
89 other structural changes to narrowly allow an optimal set of operations
90 to succeed, as opposed to blindly implementing the sometimes broad
91 changes recommended by this utility. Certain permission denials are
92 not fatal to the application, in which case it may be preferable to
93 simply suppress logging of the denial via a 'dontaudit' rule rather
94 than an 'allow' rule.
95
97 NOTE: These examples are for systems using the audit package. If you do
98 not use the audit package, the AVC messages will be in /var/log/messages.
99 Please substitute /var/log/messages for /var/log/audit/audit.log in the
100 examples.
101
102 Using audit2allow to generate module policy
103
104 $ cat /var/log/audit/audit.log | audit2allow -m local > local.te
105 $ cat local.te
106 module local 1.0;
107
108 require {
109 class file { getattr open read };
110
111
112 type myapp_t;
113 type etc_t;
114 };
115
116
117 allow myapp_t etc_t:file { getattr open read };
118 <review local.te and customize as desired>
119
120 Using audit2allow to generate module policy using reference policy
121
122 $ cat /var/log/audit/audit.log | audit2allow -R -m local > local.te
123 $ cat local.te
124 policy_module(local, 1.0)
125
126 gen_require(`
127 type myapp_t;
128 type etc_t;
129 ')
130
131 files_read_etc_files(myapp_t)
132 <review local.te and customize as desired>
133
134 Building module policy using Makefile
135
136 # SELinux provides a policy devel environment under
137 # /usr/share/selinux/devel including all of the shipped
138 # interface files.
139 # You can create a te file and compile it by executing
140
141 $ make -f /usr/share/selinux/devel/Makefile local.pp
142
143
144 # This make command will compile a local.te file in the current
145 # directory. If you did not specify a "pp" file, the make file
146 # will compile all "te" files in the current directory. After
147 # you compile your te file into a "pp" file, you need to install
148 # it using the semodule command.
149
150 $ semodule -i local.pp
151
152 Building module policy manually
153
154 # Compile the module
155 $ checkmodule -M -m -o local.mod local.te
156
157 # Create the package
158 $ semodule_package -o local.pp -m local.mod
159
160 # Load the module into the kernel
161 $ semodule -i local.pp
162
163 Using audit2allow to generate and build module policy
164
165 $ cat /var/log/audit/audit.log | audit2allow -M local
166 Generating type enforcement file: local.te
167
168 Compiling policy: checkmodule -M -m -o local.mod local.te
169 Building package: semodule_package -o local.pp -m local.mod
170
171 ******************** IMPORTANT ***********************
172
173 In order to load this newly created policy package into the kernel,
174 you are required to execute
175
176 semodule -i local.pp
177
178 Using audit2allow to generate monolithic (non-module) policy
179
180 $ cd /etc/selinux/$SELINUXTYPE/src/policy
181 $ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
182 $ cat domains/misc/local.te
183 allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
184 <review domains/misc/local.te and customize as desired>
185 $ make load
186
187
189 This manual page was written by Manoj Srivastava <srivasta@debian.org>,
190 for the Debian GNU/Linux system. It was updated by Dan Walsh
191 <dwalsh@redhat.com>
192
193 The audit2allow utility has contributions from several people, includ‐
194 ing Justin R. Smith and Yuichi Nakamura. and Dan Walsh
195
196
197
198Security Enhanced Linux October 2010 AUDIT2ALLOW(1)