Your Linux Data Center Experts


Just noticed a handy little tool for dealing with selinux enabled Linux boxes called audit2allow

When selinux denies some action it logs a message showing exactly what was denied and the context of the process that tried to do the action. So far so good, but the messages are not easy to decipher if you want to try and allow some action thats being denied.

audit2allow takes in a log message denying some action and spits out a selinux rule that would allow the action.

Here's a log message from my firewall:

firewall kernel: audit(1107457857.002:0): avc: denied { setattr } for pid=4754 exe=/usr/sbin/named dev=hda3 ino=636842 scontext=system_u:system_r:named_t tcontext=system_u:object_r:named_zone_t tclass=file

Thats basically selinux not letting the named process update a timestamp on dns zone file.

audit2allow gives us:

allow named_t named_zone_t:file setattr;

So, we just add that to /etc/selinux/strict/src/policy/domains/misc/local.te, then do a cd /etc/selinux/strict/src/policy; make load;

Now named should be allowed to set attributes on named_zone_t files.

comments powered by Disqus

Join our other satisfied clients. Contact us today.