danwalsh (danwalsh) wrote,

audit2allow ? Why not audit2dontaudit?

In Fedora 12 and Red Hat Enterprise Linux 6,  I  added a new flag to audit2allow, -D or --dontaudit.  This option tells audit2allow to generate dontaudit rules rather then allow rules.

# audit2allow -a

#============= smokeping_t ==============
allow smokeping_t bin_t:file { read execute open execute_no_trans };


# audit2allow -aD

#============= smokeping_t ==============
dontaudit smokeping_t bin_t:file { read execute open execute_no_trans };

If you want to allow the access and do not want SELinux pestering you, this is a great option.

A great example of where this is handy is vbetool.

man vbetool
       vbetool - run real-mode video BIOS code to alter hardware state

vbetool is run at boot time and during suspend and resume.  It requires mmap_zero access to run properly which is denied by default.  This access is considered dangerous and is described in a previous blog.  Luckily most machines do not need vbetool to run successfully.  However, SELinux complains to the audit system on each boot and suspend/resume about vbetool requesting mmap_zero.  vbetool does not work,  but it does not cause anything on your machine to not work. 

How would I shut up the AVC?

# grep vbetool /var/log/audit/audit.log | audit2allow -DM myvbetool
# semodule -i myvbetool.pp

This will stop the AVC without allowing a dangerous access.

# cat myvbetool.te
module myvbetool 1.0;

require {
    type vbetool_t;
    class memprotect mmap_zero;

#============= vbetool_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'

dontaudit vbetool_t self:memprotect mmap_zero;


  • Container Domains (Types)

    One of the things people have always had a hard time understanding about SELinux is around different types. In this blog, I am going to discuss…

  • Musings on Hybrid Cloud

    I work on the lowest levels of container runtimes and usually around process security. My team and I work on basically everything needed run…

  • Container Labeling

    An issue was recently raised on libpod, the github repo for Podman. "container_t isn't allowed to access container_var_lib_t" Container policy…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened