# audit2allow -a
#============= smokeping_t ==============
allow smokeping_t bin_t:file { read execute open execute_no_trans };
vs
# audit2allow -aD
#============= smokeping_t ==============
dontaudit smokeping_t bin_t:file { read execute open execute_no_trans };
If you want to allow the access and do not want SELinux pestering you, this is a great option.
A great example of where this is handy is vbetool.
man vbetool
...
vbetool - run real-mode video BIOS code to alter hardware state
vbetool is run at boot time and during suspend and resume. It requires mmap_zero access to run properly which is denied by default. This access is considered dangerous and is described in a previous blog. Luckily most machines do not need vbetool to run successfully. However, SELinux complains to the audit system on each boot and suspend/resume about vbetool requesting mmap_zero. vbetool does not work, but it does not cause anything on your machine to not work.
How would I shut up the AVC?
# grep vbetool /var/log/audit/audit.log | audit2allow -DM myvbetool
# semodule -i myvbetool.pp
This will stop the AVC without allowing a dangerous access.
# cat myvbetool.te
module myvbetool 1.0;
require {
type vbetool_t;
class memprotect mmap_zero;
}
#============= vbetool_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'
dontaudit vbetool_t self:memprotect mmap_zero;
