Log in

No account? Create an account

Previous Entry Share Next Entry
audit2allow ? Why not audit2dontaudit?
In Fedora 12 and Red Hat Enterprise Linux 6,  I  added a new flag to audit2allow, -D or --dontaudit.  This option tells audit2allow to generate dontaudit rules rather then allow rules.

# audit2allow -a

#============= smokeping_t ==============
allow smokeping_t bin_t:file { read execute open execute_no_trans };


# audit2allow -aD

#============= smokeping_t ==============
dontaudit smokeping_t bin_t:file { read execute open execute_no_trans };

If you want to allow the access and do not want SELinux pestering you, this is a great option.

A great example of where this is handy is vbetool.

man vbetool
       vbetool - run real-mode video BIOS code to alter hardware state

vbetool is run at boot time and during suspend and resume.  It requires mmap_zero access to run properly which is denied by default.  This access is considered dangerous and is described in a previous blog.  Luckily most machines do not need vbetool to run successfully.  However, SELinux complains to the audit system on each boot and suspend/resume about vbetool requesting mmap_zero.  vbetool does not work,  but it does not cause anything on your machine to not work. 

How would I shut up the AVC?

# grep vbetool /var/log/audit/audit.log | audit2allow -DM myvbetool
# semodule -i myvbetool.pp

This will stop the AVC without allowing a dangerous access.

# cat myvbetool.te
module myvbetool 1.0;

require {
    type vbetool_t;
    class memprotect mmap_zero;

#============= vbetool_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'

dontaudit vbetool_t self:memprotect mmap_zero;

  • 1
You are my hero. This...yes. Yesyesyesyes.

I'm just on the verge of understanding this, thanks.

  • 1