Thursday February 03, 2005 at 12:17
Subject: audit2allow
Keywords:
selinux, Tech
Posted by: Kevin Fenzi
Related entries:SELinux: Think of it like a firewall. by Sean Reifschneider, Monday May 01, 2006 at 23:53
Just noticed a handy little tool for dealing with selinux enabled Linux boxes called
(Post Reply)
audit2allow
When selinux denies some action it logs a message showing exactly what was denied
and the context of the process that tried to do the action. So far so good, but the
messages are not easy to decipher if you want to try and allow some action thats being
denied.
audit2allow takes in a log message denying some action and spits out
a selinux rule that would allow the action.
Here's a log message from my firewall:
firewall kernel: audit(1107457857.002:0): avc: denied { setattr } for pid=4754 exe=/usr/sbin/named name=XXXXXXX.org dev=hda3 ino=636842 scontext=system_u:system_r:named_t tcontext=system_u:object_r:named_zone_t tclass=file
Thats basically selinux not letting the named process update a timestamp on dns zone file.
audit2allow gives us:
allow named_t named_zone_t:file setattr;
So, we just add that to /etc/selinux/strict/src/policy/domains/misc/local.te, then do a
cd /etc/selinux/strict/src/policy; make load;
Now named should be allowed to set attributes on named_zone_t files.
(Post Reply)
| Comment |
Author:
kevin Subject: audit2allow -l |
One additional nice feature is the -l flag to audit2allow.
This tells it to only report on things that have appeared since the last policy load and to ignore everything before.
Using this you can fix something, reload the policy, then try your program again. If it runs into another problem you can just do:
audit2allow -l -i /var/log/messages
and you should get only those things that happened since the last policy reload.