Audit2allow generating dontaudit rules.

On 03/08/2010 11:11 AM, Karl MacMillan wrote: > Accidentally sent this straight to Josh. > > Karl > > On Thu, Mar 4, 2010 at 4:46 PM, Karl MacMillan<karlwmacmillan@gmail.com> wrote: > >> I meant this - I don't want to pass around a boolean flag when we have >> a flag for rule type. This allows cleanly adding support for, say, >> generating both allow rules and auditallow rules at the same time. >> >> <snip> Ok this one only adds a flag to the policygenerator to tell it to generate dontaudit rules. No passing of args. Acked-by: Karl MacMillan <karlwmacmillan@gmail.com>
2025-01-20 04:20:45 +00:00 · 2010-03-08 14:33:03 -05:00 · 2010-03-08 14:33:03 -05:00 · f509e1e8b9
commit f509e1e8b9
parent a73f32c3e3
3 changed files with 17 additions and 2 deletions
--- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow
@ -58,6 +58,9 @@ class AuditToPolicy:
                          help="generate a module package - conflicts with -o and -m")
        parser.add_option("-o", "--output", dest="output",
                          help="append output to <filename>, conflicts with -M")
+        parser.add_option("-D", "--dontaudit", action="store_true", 
+                          dest="dontaudit", default=False, 
+                          help="generate policy with dontaudit rules")
        parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
                          default=True, help="generate refpolicy style output")

@ -295,6 +298,8 @@ class AuditToPolicy:

        g = policygen.PolicyGenerator()

+        g.set_gen_dontaudit(self.__options.dontaudit)
+
        if self.__options.module:
            g.set_module_name(self.__options.module)

--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@ -25,10 +25,10 @@
 .TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA
 .SH NAME
 .BR audit2allow
-	\- generate SELinux policy allow rules from logs of denied operations
+\- generate SELinux policy allow/dontaudit rules from logs of denied operations

 .BR audit2why  
-	\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
+\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)

 .SH SYNOPSIS
 .B audit2allow
@ -44,6 +44,9 @@ Read input from output of
 Note that all audit messages are not available via dmesg when
 auditd is running; use "ausearch -m avc | audit2allow"  or "-a" instead.
 .TP
+.B "\-D" | "\-\-dontaudit"
+Generate dontaudit rules (Default: allow)
+.TP
 .B "\-h" | "\-\-help"
 Print a short usage message
 .TP
--- a/sepolgen/src/sepolgen/policygen.py
+++ b/sepolgen/src/sepolgen/policygen.py
@ -75,6 +75,8 @@ class PolicyGenerator:
        else:
            self.module = refpolicy.Module()

+        self.dontaudit = False
+
    def set_gen_refpol(self, if_set=None, perm_maps=None):
        """Set whether reference policy interfaces are generated.

@ -108,6 +110,9 @@ class PolicyGenerator:
        """
        self.explain = explain

+    def set_gen_dontaudit(self, dontaudit):
+        self.dontaudit = dontaudit
+
    def __set_module_style(self):
        if self.ifgen:
            refpolicy = True
@ -144,6 +149,8 @@ class PolicyGenerator:
    def __add_allow_rules(self, avs):
        for av in avs:
            rule = refpolicy.AVRule(av)
+            if self.dontaudit:
+                rule.rule_type = rule.DONTAUDIT
            if self.explain:
                rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
            self.module.children.append(rule)