Home | History | Annotate | Download | only in ru 
 Hey, Emacs! This is an -*- nroff -*- source file.
 Copyright (c) 2005 Manoj Srivastava <srivasta (at] debian.org>
 Copyright (c) 2010 Dan Walsh <dwalsh (at] redhat.com>

 This is free documentation; you can redistribute it and/or
 modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation; either version 2 of
 the License, or (at your option) any later version.

 The GNU General Public License's references to "object code"
 and "executables" are to be interpreted as the output of any
 document formatting or typesetting system, including
 intermediate and printed output.

 This manual is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 GNU General Public License for more details.

 You should have received a copy of the GNU General Public
 License along with this manual; if not, write to the Free
 Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
 USA.


 AUDIT2ALLOW "1" " 2010" "Security Enhanced Linux" NSA
 
 audit2allow -    SELinux allow/dontaudit    

 audit2why  -    SELinux       (audit2allow -w)


 
 audit2allow  [ options "] " 
 

 "-a" | "--all"       ,   -i


 "-b" | "--boot"         ,   -i


 "-d" | "--dmesg"     
 /bin/dmesg.  ,    dmesg      ,   auditd;     "ausearch -m avc | audit2allow"  "-a".


 "-D" | "--dontaudit"   dontaudit ( : allow)


 "-h" | "--help"     


 "-i <inputfile>" | "--input <inputfile>"    
 <inputfile> 

 "-l" | "--lastreload"       


 "-m <modulename>" | "--module <modulename>"   /   <modulename>


 "-M <modulename>"     ,   -o


 "-p <policyfile>" | "--policy <policyfile>"  ,     


 "-o <outputfile>" | "--output <outputfile>"     
 <outputfile> 

 "-r" | "--requires"      


 "-N" | "--noreference"    ,   .
   .


 "-R" | "--reference"       .
        ,     .


 "-x" | "--xperms"       


 "-w" | "--why"    SELinux      



 "-v" | "--verbose"   


 

     ,  ,       ,      ,  (     )       .       (allow)    .            - , ,         ,        . 
 audit2why (8)          .


      ; ,       .      /      ,        ,        ,   .           ;              'dontaudit',      'allow'.



 
 :     ,   .        ,     (AVC)     /var/log/messages.     /var/log/messages  /var/log/audit/audit.log  

  audit2allow     
$ cat /var/log/audit/audit.log | audit2allow -m local > local.te
$ cat local.te
module local 1.0;

require {
 class file { getattr open read };


 type myapp_t;
 type etc_t;
 };


allow myapp_t etc_t:file { getattr open read };
< local.te    >

  audit2allow         
$ cat /var/log/audit/audit.log | audit2allow -R -m local > local.te
$ cat local.te
policy_module(local, 1.0)

gen_require(`
 type myapp_t;
 type etc_t;
 };

files_read_etc_files(myapp_t)
< local.te    >

      Makefile 
# SELinux     
# /usr/share/selinux/devel,   
#  .
#    .te   , 

$ make -f /usr/share/selinux/devel/Makefile local.pp


#   make   local.te  
# .      "pp",  
#   "te"   .   
# .te   "pp"     
#  semodule.

$ semodule -i local.pp

     
#  
$ checkmodule -M -m -o local.mod local.te

#   
$ semodule_package -o local.pp -m local.mod

#    
$ semodule -i local.pp

  audit2allow       
$ cat /var/log/audit/audit.log | audit2allow -M local
    : local.te

 : checkmodule -M -m -o local.mod local.te
 : semodule_package -o local.pp -m local.mod

********************  ***********************

      ,  

semodule -i local.pp

  audit2allow    ( )  
$ cd /etc/selinux/$SELINUXTYPE/src/policy
$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
$ cat domains/misc/local.te
allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
< domains/misc/local.te    >
$ make load






 
     
 Manoj Srivastava <srivasta (at] debian.org>   Debian GNU/Linux.    Dan Walsh <dwalsh (at] redhat.com>.


   
 audit2allow   ,    
 Justin R. Smith,   Yuichi Nakamura  
 Dan Walsh.     
   <gammaray (at] basealt.ru>.