danwalsh (danwalsh) wrote,

Using audit2allow to build policy modules. Revisited.

On the fedora-selinux mail list Frank Murphy asked

If exim gave an avc denial.

1: Create policy.
audit2allow -M myexim < /var/log/audit/audit.log

then enable it.
semodule -i myexim.pp

2: If then in a couple of days exim generates another avc denial, different from the first.

How does one edit\use audit2allow to include the new avc.

Have looked at "man audit2allow" and can't seem to grasp an edit from the options.

There are couple of different solutions to this.  First you need to understand what audit2allow is doing under the covers. It takes the avc messages and generated allow rules (if you use the -R option, it will search the interfaces for the "Best" match and use that rather then a straight allow rule.) Audit2allow creates a type enforcement (te) file in the current directory using the name given to the -M option.

# audit2allow -M MYPOLICY < /var/log/audit/audit.log This command will create a te file that looks like: module MYPOLICY 1.0;

require {
type staff_mono_t;
type shadow_t;
class file getattr;

#============= staff_mono_t ==============
allow staff_mono_t shadow_t:file getattr;

audit2allow also compiles this "te" file into a policy package (.pp) ready to be installed with the semodule command. When you install this MYPOLICY.pp, it will replace any previously install MYPOLICY.pp file. So if Frank just created a new policy package based off the new AVC information and called it myexim again, he would remove his previous fixes.

If he still had the AVC messages from the previous policy package in his /var/log/audit/audit.log, this would not be a problem since they would get added to the new policy package, and he could follow the same procedure.

If he had the te files from the previous run, he could use audit2allow to add rules to the te file.

# audit2allow >> myexim.te << /var/log/audit/audit.log,

Then he would need to compile up the policy. Note: you might need to add additional gen_require information.

# make -f /usr/share/selinux/devel/Makefile
# semodule -i myexim.pp

Or a third option would be to just create a new policy package named myexim2.
# audit2allow -M myexim2 < /var/log/audit/audit.log # semodule -i myexim2.pp
Whenever you generate policy in this way you should really examine the te file for what rules audit2allow has generated and try make sure they make sense, and don't open a security whole.  It is always good to ask if the policy is good on a list like fedora-selinux.  If you believe this is a bug in policy, please open a bugzilla.  Then we can fix the policy for others.

  • Container Domains (Types)

    One of the things people have always had a hard time understanding about SELinux is around different types. In this blog, I am going to discuss…

  • Musings on Hybrid Cloud

    I work on the lowest levels of container runtimes and usually around process security. My team and I work on basically everything needed run…

  • Container Labeling

    An issue was recently raised on libpod, the github repo for Podman. "container_t isn't allowed to access container_var_lib_t" Container policy…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened