Audit2allowRecipe

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 14:52, 29 September 2009 (edit)
JoshuaBrindle (Talk | contribs)
(New page: If you are getting denied access for something you believe should be allowed you can add rules to your policy with audit2allow. First, find out if you are running auditd, you can do this ...)
← Previous diff
Current revision (15:57, 20 June 2011) (edit) (undo)
DominickGrift (Talk | contribs)

 
(3 intermediate revisions not shown.)
Line 1: Line 1:
-If you are getting denied access for something you believe should be allowed you can add rules to your policy with audit2allow.+If SELinux is denying access for something you believe should be allowed, you can add rules to your policy with the audit2allow program.
-First, find out if you are running auditd, you can do this with ps:+First, run the "ps -ef | grep auditd" command to find out if auditd is running:
- [root@localhost ~]# ps -ef | grep auditd+ # ps -ef | grep auditd
root 69 2 0 Sep26 ? 00:00:00 [kauditd] root 69 2 0 Sep26 ? 00:00:00 [kauditd]
root 1159 1 0 Sep26 ? 00:00:00 auditd root 1159 1 0 Sep26 ? 00:00:00 auditd
-If you see auditd running, as above, you'll want to use the -a option with audit2allow, else you'll use the -d option. +If auditd is running, as shown above, use the "-a" option with audit2allow. If it is not running, use the "-d" option.
-The -l option only reads denials since the last policy reload and the -M option lets you create a module to add the rule to. +The "-l" option reads denials since the last policy reload, and the "-M" option creates a module with rules to allow those denials.
-If you have previously used a module name you'll want to choose a new name. For example, if you run this once with -M local you'll want to use a different name next time, like -M local2.+Do not use the "-M" option to specify the same module name more than once. For example, if you run the command below once with "-M local", and want to run it again later, choose a different name, such as "-M local2".
- [root@localhost ~]# audit2allow -a -M local+ # audit2allow -l -a -M local
******************** IMPORTANT *********************** ******************** IMPORTANT ***********************
To make this policy package active, execute: To make this policy package active, execute:
Line 19: Line 19:
semodule -i local.pp semodule -i local.pp
-You can take a look at the rules that will be added in local.te, and if you are satisfied you can run semodule -i local.pp as above.+You can view the rules to be added in the local.te file. If you are satisfied, run the "semodule -i local.pp" command to install the module. You can mail an SELinux list, such as the [https://admin.fedoraproject.org/mailman/listinfo/selinux Fedora SELinux list] or the [http://www.nsa.gov/research/selinux/list.shtml NSA SELinux mailing list], to ask for review of your module before you install it.
 + 
 +[[Category:Recipes]]

Current revision

If SELinux is denying access for something you believe should be allowed, you can add rules to your policy with the audit2allow program.

First, run the "ps -ef | grep auditd" command to find out if auditd is running:

# ps -ef | grep auditd
root        69     2  0 Sep26 ?        00:00:00 [kauditd]
root      1159     1  0 Sep26 ?        00:00:00 auditd

If auditd is running, as shown above, use the "-a" option with audit2allow. If it is not running, use the "-d" option.

The "-l" option reads denials since the last policy reload, and the "-M" option creates a module with rules to allow those denials.

Do not use the "-M" option to specify the same module name more than once. For example, if you run the command below once with "-M local", and want to run it again later, choose a different name, such as "-M local2".

# audit2allow -l -a -M local
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i local.pp

You can view the rules to be added in the local.te file. If you are satisfied, run the "semodule -i local.pp" command to install the module. You can mail an SELinux list, such as the Fedora SELinux list or the NSA SELinux mailing list, to ask for review of your module before you install it.

Personal tools