runsisi's

technical notes

audit2allow

2019-03-19 runsisi#selinux

通常来说,我们会通过手写 fc(file context)、te(type enforcement)定义来生成 SELinux 规则模块,但在某些特殊场景,可能只需要通过 audit 日志临时生成 SELinux 规则模块即可。

需要注意的是,audit2allow 包含在 policycoreutils-python rpm 包中,在 CentOS minimal 版本中,该 rpm 包默认是没有安装的。

查看 denied 信息

audit2allow 的 -w, --why 选项,与 audit2why 的输出一致。

-b 选项,仅读取机器上电以来的 audit 日志:

~]# audit2allow -b -w
type=AVC msg=audit(1552892576.161:71): avc:  denied  { write } for  pid=1043 comm="restorecon" path="/var/lib/ceph/tmp/ceph-disk.activate.lock" dev="dm-0" ino=34649958 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1552892576.435:72): avc:  denied  { write } for  pid=1100 comm="restorecon" path="/var/lib/ceph/tmp/mnt.hCPDE7/systemd" dev="sdb1" ino=48 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

-i 选项,指定特定的 audit 日志文件进行读取(与 -b 冲突):

~]# audit2allow -i /var/log/audit/audit.log -w
type=AVC msg=audit(1551417789.701:2130): avc:  denied  { write } for  pid=6105 comm="restorecon" path="/var/lib/ceph/tmp/ceph-disk.activate.lock" dev="dm-0" ino=34649958 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1551417790.274:2131): avc:  denied  { write } for  pid=6144 comm="restorecon" path="/var/lib/ceph/tmp/ceph-disk.activate.lock" dev="dm-0" ino=34649958 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

生成 te 规则

-m, --module 选项,指定模块名,并在标准输出流中打印 te 规则。

-b 选项,仅读取机器上电以来的 audit 日志:

~]# audit2allow -b -m xxx

module xxx 1.0;

require {
        type setfiles_t;
        type var_lib_t;
        class file write;
}

#============= setfiles_t ==============

#!!!! WARNING: 'var_lib_t' is a base type.
allow setfiles_t var_lib_t:file write;

-i 选项,指定特定的 audit 日志文件进行读取(与 -b 冲突):

~]# audit2allow -i /var/log/audit/audit.log -m xxx

module xxx 1.0;

require {
        type setfiles_t;
        type var_lib_t;
        class file write;
}

#============= setfiles_t ==============

#!!!! WARNING: 'var_lib_t' is a base type.
allow setfiles_t var_lib_t:file write;

生成 pp 模块

-M 选项,指定模块名,并生成 pp 模块。

-b 选项,仅读取机器上电以来的 audit 日志:

# audit2allow -b -M xxx
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i xxx.pp

~]# ll xxx.pp
-rw-r--r--. 1 root root 932 Mar 19 16:23 xxx.pp

-i 选项,指定特定的 audit 日志文件进行读取(与 -b 冲突):

~]# audit2allow -i /var/log/audit/audit.log -M xxx
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i xxx.pp

~]# ll xxx.pp
-rw-r--r--. 1 root root 932 Mar 19 16:24 xxx.pp

参考资料

audit2allow man 手册页

man audit2allow