Rocky_Linux_8
Sponsored Link

SELinux : audit2allow Basic Usage
2021/07/22
 
Using [audit2allow] command, it's possible to generate SELinux policy allow rules easily from logs of denied operations.
However, [audit2allow] may allow more access than required, so it's better to configure with [restorecon] or [chcon] command in cases.
By the way, if [audit2allow] is none on your System, Install with [dnf install policycoreutils-python-utils].
[1] Display denial reasons to read log files.
If not specified any log file, audit2allow reads [/var/log/audit/audit.log].
If specify log files, set [-i logfile] option instead [-a] option.
# display reason for AVC denials from reading audit.log

[root@dlp ~]#
audit2allow -w -a

type=AVC msg=audit(1626921261.929:73): avc:  denied  { getattr } for  pid=1120 comm="login" name="/" dev="tmpfs" ino=12482 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1626921270.912:90): avc:  denied  { name_bind } for  pid=1500 comm="httpd" src=85 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.
.....
.....

# for example, use ausearch to display specific logs

[root@dlp ~]#
ausearch -m AVC --start 07/21/2021 12:00:00 --end 07/22/2021 18:00:00 | audit2allow -w

type=AVC msg=audit(1626921261.929:73): avc:  denied  { getattr } for  pid=1120 comm="login" name="/" dev="tmpfs" ino=12482 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1626921270.912:90): avc:  denied  { name_bind } for  pid=1500 comm="httpd" src=85 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.
.....
.....

# display required type with -a option

[root@dlp ~]#
ausearch -m AVC --start 07/21/2021 12:00:00 --end 07/22/2021 18:00:00 | audit2allow -a


#============= httpd_t ==============
allow httpd_t reserved_port_t:tcp_socket name_bind;

#============= local_login_t ==============
allow local_login_t tmpfs_t:filesystem getattr;
[2] Generate allow rule like follows.
# for example, generate [test_rule] module

[root@dlp ~]#
ausearch -m AVC --start 07/21/2021 12:00:00 --end 07/22/2021 18:00:00 | audit2allow -a -M test_rule

******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i test_rule.pp

# install module with the command displayed above

[root@dlp ~]#
semodule -i test_rule.pp
# make sure the module is loaded

[root@dlp ~]#
semodule -l | grep test_rule

test_rule
 
That's OK in some cases, but for other cases, it's not yet.
If not yet, run [audit2allow] again and make sure the causes.
Matched Content