From the audit2allow(1) manual page: "audit2allow
- generate SELinux policy allow rules from logs of denied operations"[19]. After analyzing denials as per Section 7.3.4, “sealert Messages”, and if no label changes or Booleans allowed access, use audit2allow
to create a local policy module. After access is denied by SELinux, running the audit2allow
command presents a Type Enforcement rule that allows the previously denied access. The following example demonstrates a denial and the associated system call logged to /var/log/audit/audit.log
:
type=AVC msg=audit(1226270358.848:238): avc: denied { write } for pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=SYSCALL msg=audit(1226270358.848:238): arch=40000003 syscall=39 success=no exit=-13 a0=39a2bf a1=3ff a2=3a0354 a3=94703c8 items=0 ppid=13344 pid=13349 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0 key=(null)
In this example, certwatch (comm="certwatch"
) was denied write access ({ write }
) to a directory labeled with the var_t
type. With such a denial logged, running audit2allow
with the -w
option produces a human-readable description of why access was denied. The audit2allow
tool accesses /var/log/audit/audit.log
, and as such, must be run as the Linux root user:
# audit2allow -w -a type=AVC msg=audit(1226270358.848:238): avc: denied { write } for pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access.
As shown, access was denied due to a missing Type Enforcement rule. Run the audit2allow -a
command to view the Type Enforcement rule that allows the denied access:
# audit2allow -a #============= certwatch_t ============== allow certwatch_t var_t:dir write;
To use this rule, run theaudit2allow -a -M
command as the Linux root user to create an installable module. The mycertwatch
-M
option creates a Type Enforcement file (.te
), named with the name given with -M
, in your current working directory:
# audit2allow -a -M mycertwatch ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i mycertwatch.pp # ls mycertwatch.pp mycertwatch.te
Also, audit2allow
compiles the Type Enforcement rule into a policy package (.pp
). To install the module, run the /usr/sbin/semodule -i
command as the Linux root user.
mycertwatch.pp
Refer to Dan Walsh's "Using audit2allow to build policy modules. Revisited." blog entry for further information about using audit2allow
to build policy modules.
Modules created with audit2allow
may allow more access than required. It is recommended that policy created with audit2allow
be posted to an SELinux list, such as fedora-selinux-list, for review. If you believe their is a bug in policy, create a bug in Red Hat Bugzilla.