红帽全球峰会此内容没有您所选择的语言版本。
8.3.8. Allowing Access: audit2allow
Do not use the example in this section in production. It is used only to demonstrate the use of the
audit2allow utility.
From the audit2allow(1) manual page: "
audit2allow – generate SELinux policy allow rules from logs of denied operations"[16]. After analyzing denials as per Section 8.3.7, “sealert Messages”, and if no label changes or Booleans allowed access, use audit2allow to create a local policy module. After access is denied by SELinux, running the audit2allow command presents Type Enforcement rules that allow the previously denied access.
The following example demonstrates using
audit2allow to create a policy module:
- A denial and the associated system call are logged to
/var/log/audit/audit.log:type=AVC msg=audit(1226270358.848:238): avc: denied { write } for pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=SYSCALL msg=audit(1226270358.848:238): arch=40000003 syscall=39 success=no exit=-13 a0=39a2bf a1=3ff a2=3a0354 a3=94703c8 items=0 ppid=13344 pid=13349 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0 key=(null)type=AVC msg=audit(1226270358.848:238): avc: denied { write } for pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=SYSCALL msg=audit(1226270358.848:238): arch=40000003 syscall=39 success=no exit=-13 a0=39a2bf a1=3ff a2=3a0354 a3=94703c8 items=0 ppid=13344 pid=13349 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0 key=(null)Copy to Clipboard Copied! Toggle word wrap Toggle overflow In this example, certwatch (comm="certwatch") was denied write access ({ write }) to a directory labeled with thevar_ttype (tcontext=system_u:object_r:var_t:s0). Analyze the denial as per Section 8.3.7, “sealert Messages”. If no label changes or Booleans allowed access, useaudit2allowto create a local policy module. - With a denial logged, such as the
certwatchdenial in step 1, run theaudit2allow -w -acommand to produce a human-readable description of why access was denied. The-aoption causes all audit logs to be read. The-woption produces the human-readable description. Theaudit2allowutility accesses/var/log/audit/audit.log, and as such, must be run as the Linux root user:Copy to Clipboard Copied! Toggle word wrap Toggle overflow As shown, access was denied due to a missing Type Enforcement rule. - Run the
audit2allow -acommand to view the Type Enforcement rule that allows the denied access:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Important
Missing Type Enforcement rules are usually caused by bugs in SELinux policy, and should be reported in Red Hat Bugzilla. For Red Hat Enterprise Linux, create bugs against theRed Hat Enterprise Linuxproduct, and select theselinux-policycomponent. Include the output of theaudit2allow -w -aandaudit2allow -acommands in such bug reports. - To use the rule displayed by
audit2allow -a, run theaudit2allow -a -M mycertwatchcommand as the Linux root user to create custom module. The-Moption creates a Type Enforcement file (.te) with the name specified with-M, in your current working directory:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Also,audit2allowcompiles the Type Enforcement rule into a policy package (.pp). To install the module, run thesemodule -i mycertwatch.ppcommand as the Linux root user.Important
Modules created withaudit2allowmay allow more access than required. It is recommended that policy created withaudit2allowbe posted to an SELinux list, such as fedora-selinux-list, for review. If you believe their is a bug in policy, create a bug in Red Hat Bugzilla.
If you have multiple denials from multiple processes, but only want to create a custom policy for a single process, use the
grep command to narrow down the input for audit2allow. The following example demonstrates using grep to only send denials related to certwatch through audit2allow:
grep certwatch /var/log/audit/audit.log | audit2allow -M mycertwatch2 semodule -i mycertwatch2.pp
~]# grep certwatch /var/log/audit/audit.log | audit2allow -M mycertwatch2
******************** IMPORTANT ***********************
To make this policy package active, execute:
~]# semodule -i mycertwatch2.pp
Refer to Dan Walsh's "Using audit2allow to build policy modules. Revisited." blog entry for further information about using
audit2allow to build policy modules.
[16]
From the audit2allow(1) manual page, which is available when the policycoreutils-sandbox package in Red Hat Enterprise Linux 6 is installed.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}