1AUDIT2ALLOW(1)                        NSA                       AUDIT2ALLOW(1)
2
3
4

NAME

6       audit2allow  -  generate SELinux policy allow/dontaudit rules from logs
7       of denied operations
8
9       audit2why - translates SELinux audit messages into a description of why
10       the access was denied (audit2allow -w)
11
12

SYNOPSIS

14       audit2allow [options]
15

OPTIONS

17       -a | --all
18              Read input from audit and message log, conflicts with -i
19
20       -b | --boot
21              Read input from audit messages since last boot conflicts with -i
22
23       -d | --dmesg
24              Read  input from output of /bin/dmesg.  Note that all audit mes‐
25              sages are not available via dmesg when auditd  is  running;  use
26              "ausearch -m avc | audit2allow"  or "-a" instead.
27
28       -D | --dontaudit
29              Generate dontaudit rules (Default: allow)
30
31       -h | --help
32              Print a short usage message
33
34       -i  <inputfile> | --input <inputfile>
35              read input from <inputfile>
36
37       -l | --lastreload
38              read input only after last policy reload
39
40       -m <modulename> | --module <modulename>
41              Generate module/require output <modulename>
42
43       -M <modulename>
44              Generate loadable module package, conflicts with -o
45
46       -p <policyfile> | --policy <policyfile>
47              Policy file to use for analysis
48
49       -o <outputfile> | --output <outputfile>
50              append output to <outputfile>
51
52       -r | --requires
53              Generate require output syntax for loadable modules.
54
55       -N | --noreference
56              Do not generate reference policy, traditional style allow rules.
57              This is the default behavior.
58
59       -R | --reference
60              Generate reference policy using installed macros.  This attempts
61              to match denials against interfaces and may be inaccurate.
62
63       -x | --xperms
64              Generate extended permission access vector rules
65
66       -w | --why
67              Translates  SELinux audit messages into a description of why the
68              access was denied
69
70
71       -v | --verbose
72              Turn on verbose output
73
74

DESCRIPTION

76       This utility scans the logs for messages logged when the system  denied
77       permission  for  operations,  and  generates  a snippet of policy rules
78       which, if loaded into policy, might have allowed  those  operations  to
79       succeed. However, this utility only generates Type Enforcement (TE) al‐
80       low rules.  Certain permission denials may require other kinds of  pol‐
81       icy  changes, e.g. adding an attribute to a type declaration to satisfy
82       an existing constraint, adding a role allow rule, or modifying  a  con‐
83       straint.   The  audit2why(8) utility may be used to diagnose the reason
84       when it is unclear.
85
86       Care must be exercised while acting on the output of  this  utility  to
87       ensure  that  the  operations  being  permitted  do not pose a security
88       threat. Often it is better to define new domains and/or types, or  make
89       other structural changes to narrowly allow an optimal set of operations
90       to succeed, as opposed to  blindly  implementing  the  sometimes  broad
91       changes  recommended  by this utility.   Certain permission denials are
92       not fatal to the application, in which case it  may  be  preferable  to
93       simply  suppress  logging  of  the denial via a 'dontaudit' rule rather
94       than an 'allow' rule.
95

EXAMPLE

97       NOTE: These examples are for systems using the audit package. If you do
98       not use the audit package, the AVC messages will be in /var/log/messages.
99       Please substitute /var/log/messages for /var/log/audit/audit.log in the
100       examples.
101
102       Using audit2allow to generate module policy
103
104       $ cat /var/log/audit/audit.log | audit2allow -m local > local.te
105       $ cat local.te
106       module local 1.0;
107
108       require {
109               class file {  getattr open read };
110
111
112               type myapp_t;
113               type etc_t;
114        };
115
116
117       allow myapp_t etc_t:file { getattr open read };
118       <review local.te and customize as desired>
119
120       Using audit2allow to generate module policy using reference policy
121
122       $ cat /var/log/audit/audit.log | audit2allow -R -m local > local.te
123       $ cat local.te
124       policy_module(local, 1.0)
125
126       gen_require(`
127               type myapp_t;
128               type etc_t;
129       ')
130
131       files_read_etc_files(myapp_t)
132       <review local.te and customize as desired>
133
134       Building module policy using Makefile
135
136       # SELinux provides a policy devel environment under
137       # /usr/share/selinux/devel including all of the shipped
138       # interface files.
139       # You can create a te file and compile it by executing
140
141       $ make -f /usr/share/selinux/devel/Makefile local.pp
142
143
144       # This make command will compile a local.te file in the current
145       # directory. If you did not specify a "pp" file, the make file
146       # will compile all "te" files in the current directory.  After
147       # you compile your te file into a "pp" file, you need to install
148       # it using the semodule command.
149
150       $ semodule -i local.pp
151
152       Building module policy manually
153
154       # Compile the module
155       $ checkmodule -M -m -o local.mod local.te
156
157       # Create the package
158       $ semodule_package -o local.pp -m local.mod
159
160       # Load the module into the kernel
161       $ semodule -i local.pp
162
163       Using audit2allow to generate and build module policy
164
165       $ cat /var/log/audit/audit.log | audit2allow -M local
166       Generating type enforcement file: local.te
167
168       Compiling policy: checkmodule -M -m -o local.mod local.te
169       Building package: semodule_package -o local.pp -m local.mod
170
171       ******************** IMPORTANT ***********************
172
173       In order to load this newly created policy package into the kernel,
174       you are required to execute
175
176       semodule -i local.pp
177
178       Using audit2allow to generate monolithic (non-module) policy
179
180       $ cd /etc/selinux/$SELINUXTYPE/src/policy
181       $ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
182       $ cat domains/misc/local.te
183       allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
184       <review domains/misc/local.te and customize as desired>
185       $ make load
186
187

AUTHOR

189       This manual page was written by Manoj Srivastava <srivasta@debian.org>,
190       for   the  Debian  GNU/Linux  system.  It  was  updated  by  Dan  Walsh
191       <dwalsh@redhat.com>
192
193       The audit2allow utility has contributions from several people,  includ‐
194       ing Justin R. Smith and Yuichi Nakamura.  and Dan Walsh
195
196
197
198Security Enhanced Linux          October 2010                   AUDIT2ALLOW(1)
Impressum