danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
audit2allow ? Why not audit2dontaudit?
danwalsh
In Fedora 12 and Red Hat Enterprise Linux 6,  I  added a new flag to audit2allow, -D or --dontaudit.  This option tells audit2allow to generate dontaudit rules rather then allow rules.

# audit2allow -a

#============= smokeping_t ==============
allow smokeping_t bin_t:file { read execute open execute_no_trans };

vs

# audit2allow -aD

#============= smokeping_t ==============
dontaudit smokeping_t bin_t:file { read execute open execute_no_trans };


If you want to allow the access and do not want SELinux pestering you, this is a great option.

A great example of where this is handy is vbetool.

man vbetool
...
       vbetool - run real-mode video BIOS code to alter hardware state


vbetool is run at boot time and during suspend and resume.  It requires mmap_zero access to run properly which is denied by default.  This access is considered dangerous and is described in a previous blog.  Luckily most machines do not need vbetool to run successfully.  However, SELinux complains to the audit system on each boot and suspend/resume about vbetool requesting mmap_zero.  vbetool does not work,  but it does not cause anything on your machine to not work. 

How would I shut up the AVC?


# grep vbetool /var/log/audit/audit.log | audit2allow -DM myvbetool
# semodule -i myvbetool.pp


This will stop the AVC without allowing a dangerous access.

# cat myvbetool.te
module myvbetool 1.0;

require {
    type vbetool_t;
    class memprotect mmap_zero;
}

#============= vbetool_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'

dontaudit vbetool_t self:memprotect mmap_zero;


You are my hero. This...yes. Yesyesyesyes.

You are viewing danwalsh