audit2allow
通常来说,我们会通过手写 fc(file context)、te(type enforcement)定义来生成 SELinux 规则模块,但在某些特殊场景,可能只需要通过 audit 日志临时生成 SELinux 规则模块即可。
需要注意的是,audit2allow 包含在 policycoreutils-python rpm 包中,在 CentOS minimal 版本中,该 rpm 包默认是没有安装的。
查看 denied 信息
audit2allow 的 -w, --why
选项,与 audit2why 的输出一致。
-b
选项,仅读取机器上电以来的 audit 日志:
~]# audit2allow -b -w
type=AVC msg=audit(1552892576.161:71): avc: denied { write } for pid=1043 comm="restorecon" path="/var/lib/ceph/tmp/ceph-disk.activate.lock" dev="dm-0" ino=34649958 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1552892576.435:72): avc: denied { write } for pid=1100 comm="restorecon" path="/var/lib/ceph/tmp/mnt.hCPDE7/systemd" dev="sdb1" ino=48 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
-i
选项,指定特定的 audit 日志文件进行读取(与 -b
冲突):
~]# audit2allow -i /var/log/audit/audit.log -w
type=AVC msg=audit(1551417789.701:2130): avc: denied { write } for pid=6105 comm="restorecon" path="/var/lib/ceph/tmp/ceph-disk.activate.lock" dev="dm-0" ino=34649958 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1551417790.274:2131): avc: denied { write } for pid=6144 comm="restorecon" path="/var/lib/ceph/tmp/ceph-disk.activate.lock" dev="dm-0" ino=34649958 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
生成 te 规则
-m, --module
选项,指定模块名,并在标准输出流中打印 te 规则。
-b
选项,仅读取机器上电以来的 audit 日志:
~]# audit2allow -b -m xxx
module xxx 1.0;
require {
type setfiles_t;
type var_lib_t;
class file write;
}
#============= setfiles_t ==============
#!!!! WARNING: 'var_lib_t' is a base type.
allow setfiles_t var_lib_t:file write;
-i
选项,指定特定的 audit 日志文件进行读取(与 -b
冲突):
~]# audit2allow -i /var/log/audit/audit.log -m xxx
module xxx 1.0;
require {
type setfiles_t;
type var_lib_t;
class file write;
}
#============= setfiles_t ==============
#!!!! WARNING: 'var_lib_t' is a base type.
allow setfiles_t var_lib_t:file write;
生成 pp 模块
-M
选项,指定模块名,并生成 pp 模块。
-b
选项,仅读取机器上电以来的 audit 日志:
# audit2allow -b -M xxx
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i xxx.pp
~]# ll xxx.pp
-rw-r--r--. 1 root root 932 Mar 19 16:23 xxx.pp
-i
选项,指定特定的 audit 日志文件进行读取(与 -b
冲突):
~]# audit2allow -i /var/log/audit/audit.log -M xxx
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i xxx.pp
~]# ll xxx.pp
-rw-r--r--. 1 root root 932 Mar 19 16:24 xxx.pp
参考资料
audit2allow man 手册页
man audit2allow
最后修改于 2019-03-19