October 1st, 2008

Using audit2allow to build policy modules. Revisited.

On the fedora-selinux mail list Frank Murphy asked

If exim gave an avc denial.

1: Create policy.
audit2allow -M myexim < /var/log/audit/audit.log

then enable it.
semodule -i myexim.pp

2: If then in a couple of days exim generates another avc denial, different from the first.

How does one edit\use audit2allow to include the new avc.

Have looked at "man audit2allow" and can't seem to grasp an edit from the options.

There are couple of different solutions to this.  First you need to understand what audit2allow is doing under the covers. It takes the avc messages and generated allow rules (if you use the -R option, it will search the interfaces for the "Best" match and use that rather then a straight allow rule.) Audit2allow creates a type enforcement (te) file in the current directory using the name given to the -M option.

# audit2allow -M MYPOLICY < /var/log/audit/audit.log This command will create a te file that looks like: module MYPOLICY 1.0;

require {
type staff_mono_t;
type shadow_t;
class file getattr;

#============= staff_mono_t ==============
allow staff_mono_t shadow_t:file getattr;

audit2allow also compiles this "te" file into a policy package (.pp) ready to be installed with the semodule command. When you install this MYPOLICY.pp, it will replace any previously install MYPOLICY.pp file. So if Frank just created a new policy package based off the new AVC information and called it myexim again, he would remove his previous fixes.

If he still had the AVC messages from the previous policy package in his /var/log/audit/audit.log, this would not be a problem since they would get added to the new policy package, and he could follow the same procedure.

If he had the te files from the previous run, he could use audit2allow to add rules to the te file.

# audit2allow >> myexim.te << /var/log/audit/audit.log,

Then he would need to compile up the policy. Note: you might need to add additional gen_require information.

# make -f /usr/share/selinux/devel/Makefile
# semodule -i myexim.pp

Or a third option would be to just create a new policy package named myexim2.
# audit2allow -M myexim2 < /var/log/audit/audit.log # semodule -i myexim2.pp
Whenever you generate policy in this way you should really examine the te file for what rules audit2allow has generated and try make sure they make sense, and don't open a security whole.  It is always good to ask if the policy is good on a list like fedora-selinux.  If you believe this is a bug in policy, please open a bugzilla.  Then we can fix the policy for others.