This patch allows audit2allow to look at all avc's since the last time the machine booted.

Acked-by: Karl MacMillan <kmacmillan@tresys.com>
2025-02-15 17:16:54 +00:00 · 2010-03-12 12:58:02 -05:00 · 2010-03-12 12:58:02 -05:00 · 03cd8c2d47
commit 03cd8c2d47
parent 6688e96767
3 changed files with 35 additions and 3 deletions
--- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow
@ -42,6 +42,8 @@ class AuditToPolicy:
        from optparse import OptionParser

        parser = OptionParser(version=self.VERSION)
+        parser.add_option("-b", "--boot", action="store_true", dest="boot", default=False,
+                          help="audit messages since last boot conflicts with -i")
        parser.add_option("-a", "--all", action="store_true", dest="audit", default=False,
                          help="read input from audit log - conflicts with -i")
        parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
@ -83,11 +85,11 @@ class AuditToPolicy:
        options, args = parser.parse_args()

        # Make -d, -a, and -i conflict
-        if options.audit is True:
+        if options.audit is True or options.boot:
            if options.input is not None:
-                sys.stderr.write("error: --all conflicts with --input\n")
+                sys.stderr.write("error: --all/--boot conflicts with --input\n")
            if options.dmesg is True:
-                sys.stderr.write("error: --all conflicts with --dmesg\n")
+                sys.stderr.write("error: --all/--boot conflicts with --dmesg\n")
        if options.input is not None and options.dmesg is True:
            sys.stderr.write("error: --input conflicts with --dmesg\n")

@ -132,6 +134,12 @@ class AuditToPolicy:
            except OSError, e:
                sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
                sys.exit(1)
+        elif self.__options.boot:
+            try:
+                messages = audit.get_audit_boot_msgs()
+            except OSError, e:
+                sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
+                sys.exit(1)
        else:
            # This is the default if no input is specified
            f = sys.stdin
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@ -38,6 +38,9 @@
 .B "\-a" | "\-\-all"
 Read input from audit and message log, conflicts with -i
 .TP
+.B "\-b" | "\-\-boot"
+Read input from audit messages since last boot conflicts with -i
+.TP
 .B "\-d" | "\-\-dmesg"
 Read input from output of 
 .I /bin/dmesg.
--- a/sepolgen/src/sepolgen/audit.py
+++ b/sepolgen/src/sepolgen/audit.py
@ -23,6 +23,27 @@ import re

 # Convenience functions

+def get_audit_boot_msgs():
+    """Obtain all of the avc and policy load messages from the audit
+    log. This function uses ausearch and requires that the current
+    process have sufficient rights to run ausearch.
+
+    Returns:
+       string contain all of the audit messages returned by ausearch.
+    """
+    import subprocess
+    import time
+    fd=open("/proc/uptime", "r")
+    off=float(fd.read().split()[0])
+    fd.close
+    s = time.localtime(time.time() - off)
+    date = time.strftime("%D/%Y", s).split("/")
+    bootdate="%s/%s/%s" % (date[0], date[1], date[3])
+    boottime = time.strftime("%X", s)
+    output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime],
+                              stdout=subprocess.PIPE).communicate()[0]
+    return output
+
 def get_audit_msgs():
    """Obtain all of the avc and policy load messages from the audit
    log. This function uses ausearch and requires that the current