Quick ?s
Cheat Sheets
Man Pages
The Lynx

       audit2allow  -  generate  policy allow rules from logs of denied opera

       audit2allow [options]

       -a | --all
	      Read input from audit and message log, conflicts with -i

       -d | --dmesg
	      Read input from output of /bin/dmesg.  Note that all audit  mes
	      sages  are  not  available via dmesg when auditd is running; use
	      "ausearch -m avc | audit2allow"  or "-a" instead.

       -f | --fcfile 
	      Add File Context File to generated Module Package.  Requires  -M

       -h | --help
	      Print a short usage message

       -i   | --input 
	      read input from 

       -l | --lastreload
	      read input only after last policy reload

       -m  | --module 
	      Generate module/require output 

	      Generate loadable module package, conflicts with -o

       -o  | --output 
	      append output to 

       -r | --requires
	      Generate require output syntax for loadable modules.

       -R | --reference
	      Generate	reference policy using installed macros.  Requires the
	      selinux-policy-devel package.

       -t  | --tefile
	      Indicates input file is a te (type enforcement) file.  This  can
	      be used to translate old te format to new policy format.

       -v | --verbose
	      Turn on verbose output

       This  utility scans the logs for messages logged when the system denied
       permission for operations, and generates  a  snippet  of  policy  rules
       which,  if  loaded  into policy, might have allowed those operations to
       succeed. However, this utility only  generates  Type  Enforcement  (TE)
       allow  rules.   Certain	permission  denials may require other kinds of
       policy changes, e.g. adding an attribute to a type declaration to  sat
       isfy  an  existing constraint, adding a role allow rule, or modifying a
       constraint.  The audit2why(8) utility  may  be  used  to  diagnose  the
       reason when it is unclear.

       Care  must  be  exercised while acting on the output of this utility to
       ensure that the operations being  permitted  do	not  pose  a  security
       threat.	Often it is better to define new domains and/or types, or make
       other structural changes to narrowly allow an optimal set of operations
       to  succeed,  as  opposed  to  blindly implementing the sometimes broad
       changes recommended by this utility.   Certain permission  denials  are
       not  fatal  to  the  application, in which case it may be preferable to
       simply suppress logging of the denial via  a  dontaudit	rule  rather
       than an allow rule.

       NOTE: These examples are for systems using the audit package. If you do
       not use the audit package, the AVC messages will be in /var/log/messages.
       Please substitute /var/log/messages for /var/log/audit/audit.log in the

       Using audit2allow to generate monolithic (non-module) policy
       $ cd /etc/selinux/$SELINUXTYPE/src/policy
       $ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
       $ cat domains/misc/local.te
       allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
       $ make load

       Using audit2allow to generate module policy

       $ cat /var/log/audit/audit.log | audit2allow -m local > local.te
       $ cat local.te
       module local 1.0;

       require {
	       role system_r;

	       class fifo_file {  getattr ioctl };

	       type cupsd_config_t;
	       type unconfined_t;

       allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };

       Building module policy manually

       # Compile the module
       $ checkmodule -M -m -o local.mod local.te
       # Create the package
       $ semodule_package -o local.pp -m local.mod
       # Load the module into the kernel
       $ semodule -i local.pp

       Using audit2allow to generate and build module policy
       $ cat /var/log/audit/audit.log | audit2allow -M local
       Generating type enforcment file: local.te
       Compiling policy: checkmodule -M -m -o local.mod local.te
       Building package: semodule_package -o local.pp -m local.mod

       ******************** IMPORTANT ***********************

       In order to load this newly created policy package into the kernel,
       you are required to execute

       semodule -i local.pp

       This manual page was written by Manoj Srivastava ,
       for  the  Debian  GNU/Linux  system.  It  was  updated  by  Dan	 Walsh

       The  audit2allow utility has contributions from several people, includ
       ing Justin R. Smith and Yuichi Nakamura.  and Dan Walsh

Security Enhanced Linux 	 January 2005			AUDIT2ALLOW(1)

Yals.net is © 1999-2009 Crescendo Communications
Sharing tech info on the web for more than a decade!
This page was generated Thu Apr 30 17:05:17 2009