SELinux : audit2allow Basic Usage2021/03/02 |
Using [audit2allow] command, it's possible to generate SELinux policy allow rules easily from logs of denied operations.
However, [audit2allow] may allow more access than required,
so it's better to configure with [restorecon] or [chcon] command in cases.
By the way, if [audit2allow] is none on your System, Install with [dnf install policycoreutils-python-utils].
|
|
[1] | Display denial reasons to read log files. If not specified any log file, audit2allow reads [/var/log/audit/audit.log]. If specify log files, set [-i logfile] option instead [-a] option. |
# display reason for AVC denials from reading audit.log [root@dlp ~]# audit2allow -w -a type=AVC msg=audit(1614664861.679:94): avc: denied { name_bind } for pid=1161 comm="httpd" src=85 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1614666021.668:78): avc: denied { getattr } for pid=1186 comm="login" name="/" dev="tmpfs" ino=12323 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. ..... ..... # for example, use ausearch to display specific logs [root@dlp ~]# ausearch -m AVC --start 03/01/2021 12:00:00 --end 03/02/2021 18:00:00 | audit2allow -w type=AVC msg=audit(1614666578.083:78): avc: denied { getattr } for pid=1183 comm="login" name="/" dev="tmpfs" ino=12365 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. type=AVC msg=audit(1614666872.742:78): avc: denied { getattr } for pid=1182 comm="login" name="/" dev="cgroup" ino=1 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0 Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. ..... ..... # display required type with -a option [root@dlp ~]# ausearch -m AVC --start 03/01/2021 12:00:00 --end 03/02/2021 18:00:00 | audit2allow -a #============= httpd_t ============== allow httpd_t reserved_port_t:tcp_socket name_bind; #============= local_login_t ============== allow local_login_t cgroup_t:filesystem getattr; allow local_login_t tmpfs_t:filesystem getattr; |
[2] | Generate allow rule like follows. |
# for example, generate [test_rule] module [root@dlp ~]# ausearch -m AVC --start 03/01/2021 12:00:00 --end 03/02/2021 18:00:00 | audit2allow -a -M test_rule ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i test_rule.pp # install module with the command displayed above [root@dlp ~]# semodule -i test_rule.pp
# make sure the module is loaded [root@dlp ~]# semodule -l | grep test_rule test_rule |
That's OK in some cases, but for other cases, it's not yet.
If not yet, run [audit2allow] again and make sure the causes. |
Sponsored Link |
|