RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2024-12-28 17:02:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Rearranged audit2allow.1 to match the newer ways we use the tool.

Browse Source 
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh 2010-12-22 15:08:33 -05:00 committed by Eric Paris
parent f1b004bf7d
commit 71b51fdbd6
1 changed files with 35 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
policycoreutils/audit2allow/audit2allow.1
View File

@ -1,5 +1,6 @@
.\" Hey, Emacs! This is an -*- nroff -*- source file. .\" Hey, Emacs! This is an -*- nroff -*- source file.
.\" Copyright (c) 2005 Manoj Srivastava <srivasta@debian.org> .\" Copyright (c) 2005 Manoj Srivastava <srivasta@debian.org>
.\" Copyright (c) 2010 Dan Walsh <dwalsh@redhat.com>
.\" .\"
.\" This is free documentation; you can redistribute it and/or .\" This is free documentation; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License as .\" modify it under the terms of the GNU General Public License as
@ -22,7 +23,7 @@
.\" USA. .\" USA.
.\" .\"
.\" .\"
.TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA .TH AUDIT2ALLOW "1" "October 2010" "Security Enhanced Linux" NSA
.SH NAME .SH NAME
.BR audit2allow .BR audit2allow
\- generate SELinux policy allow/dontaudit rules from logs of denied operations \- generate SELinux policy allow/dontaudit rules from logs of denied operations
@ -117,14 +118,6 @@ an 'allow' rule.
.B Please substitute /var/log/messages for /var/log/audit/audit.log in the .B Please substitute /var/log/messages for /var/log/audit/audit.log in the
.B examples. .B examples.
.PP .PP
.B Using audit2allow to generate monolithic (non-module) policy
$ cd /etc/selinux/$SELINUXTYPE/src/policy
$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
$ cat domains/misc/local.te
allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
<review domains/misc/local.te and customize as desired>
$ make load
.B Using audit2allow to generate module policy .B Using audit2allow to generate module policy
$ cat /var/log/audit/audit.log | audit2allow -m local > local.te $ cat /var/log/audit/audit.log | audit2allow -m local > local.te
@ -132,20 +125,38 @@ $ cat local.te
module local 1.0; module local 1.0;
require { require {
role system_r; class file { getattr open read };
class fifo_file { getattr ioctl }; type myapp_t;
type etc_t;
type cupsd_config_t;
type unconfined_t;
}; };
allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; allow myapp_t etc_t:file { getattr open read };
<review local.te and customize as desired> <review local.te and customize as desired>
.B Using audit2allow to generate module policy using reference policy
$ cat /var/log/audit/audit.log | audit2allow -R -m local > local.te
$ cat local.te
policy_module(local, 1.0)
gen_require(`
type myapp_t;
type etc_t;
};
files_read_etc_files(myapp_t)
<review local.te and customize as desired>
.B Building module policy using Makefile
# SELinux provides a policy devel environment under /usr/share/selinux/devel
# You can create a te file and compile it by executing
$ make -f /usr/share/selinux/devel/Makefile
$ semodule -i local.pp
.B Building module policy manually .B Building module policy manually
# Compile the module # Compile the module
@ -168,6 +179,14 @@ you are required to execute
semodule -i local.pp semodule -i local.pp
.B Using audit2allow to generate monolithic (non-module) policy
$ cd /etc/selinux/$SELINUXTYPE/src/policy
$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
$ cat domains/misc/local.te
allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
<review domains/misc/local.te and customize as desired>
$ make load
.fi .fi
.PP .PP
.SH AUTHOR .SH AUTHOR