audit2allow



AUDIT2ALLOW(1)                        NSA                       AUDIT2ALLOW(1)




NAME

       audit2allow  -  generate  policy allow rules from logs of denied opera-
       tions


SYNOPSIS

       audit2allow [options]


OPTIONS

       --help Print a short usage message

       -d     Read input from output of /bin/dmesg.  Note that audit  messages
              are  not  available  via  dmesg  when  auditd is running; use -i
              /var/log/audit/audit.log instead.

       -v     Turn on verbose output

       -l     read input only after last policy reload

       -i <inputfile>
              read input from <inputfile>

       -o <outputfile>
              append output to <outputfile>


DESCRIPTION

       This utility scans the logs for messages logged when the system  denied
       permission  for  operations,  and  generates  a snippet of policy rules
       which, if loaded into policy, might have allowed  those  operations  to
       succeed.  However,  this  utility  only generates Type Enforcement (TE)
       allow rules.  Certain permission denials may  require  other  kinds  of
       policy  changes, e.g. adding an attribute to a type declaration to sat-
       isfy an existing constraint, adding a role allow rule, or  modifying  a
       constraint.   The audit2why(8) utility may be used to diagnose the rea-
       son when it is unclear.

       Care must be exercised while acting on the output of  this  utility  to
       ensure  that  the  operations  being  permitted  do not pose a security
       threat. Often it is better to define new domains and/or types, or  make
       other structural changes to narrowly allow an optimal set of operations
       to succeed, as opposed to  blindly  implementing  the  sometimes  broad
       changes  recommended  by this utility.   Certain permission denials are
       not fatal to the application, in which case it  may  be  preferable  to
       simply  suppress  logging  of  the denial via a ’dontaudit’ rule rather
       than an ’allow’ rule.



EXAMPLE

       $ cd /etc/selinux/$(SELINUXTYPE)/src/policy
       $ /usr/bin/audit2allow -i < /var/log/audit/audit.log >> domains/misc/local.te
       <review domains/misc/local.te and customize as desired>
       $ make load



AUTHOR

       This manual page was written by Manoj Srivastava <srivasta@debian.org>,
       for  the Debian GNU/Linux system. The audit2allow utility has contribu-
       tions from several people, including Justin R. Smith and  Yuichi  Naka-
       mura.



Security Enhanced Linux          January 2005                   AUDIT2ALLOW(1)

Man(1) output converted with man2html