audit2allow

Generate a local policy to allow access for all denied services

$ sudo audit2allow [[-a|--all]] -M [local_policy_name]

$ sudo grep [apache2] /var/log/audit/audit.log | sudo audit2allow -M [local_policy_name]

$ vim [local_policy_name].te

$ sudo semodule [[-i|--install]] [local_policy_name].pp

audit2allow [-hv] [-m module_name] [-r] [-b policy_file] [-i input_file] [-o output_file] [-p policy_file]

-h
    Show help message and exit.

-v
    Be verbose.

-m module_name
    Specify the module name for the generated policy module.

-r
    Generate rules that grant read access.

-b policy_file
    Specify a base policy file.

-i input_file
    Specify the input audit log file (default is standard input).

-o output_file
    Specify the output file for the generated policy (default is standard output).

-p policy_file
    Specify the policy file to use (defaults to the active policy).

audit2allow analyzes audit log entries and generates SELinux policy rules that would allow the actions that were denied. It is primarily used to create custom policy modules to address denials encountered while running applications under SELinux. The command parses audit logs produced by the audit daemon, identifies access control violations, and suggests the necessary SELinux rules (allow rules, type declarations, etc.) to permit the blocked actions.

The generated rules are intended as a starting point and should be carefully reviewed and refined before being deployed in a production environment. It's crucial to understand the implications of each rule and ensure that the policy doesn't unintentionally grant excessive permissions. The tool supports generating policy modules in various formats, including source policy and loadable module format.

The generated policy rules should be carefully reviewed and refined. Blindly applying the suggested rules can weaken the overall security of the system.

The tool relies on the accuracy of the audit logs. If the audit logs are incomplete or corrupted, the generated policy rules may be incorrect.

Generate policy rules from audit.log and save it to mymodule.te:
audit2allow -i /var/log/audit/audit.log -m mymodule -o mymodule.te

Generate a loadable module package:
audit2allow -i /var/log/audit/audit.log -M mymodule (Generates mymodule.te and mymodule.mod, then builds mymodule.pp)

audit2allow has been developed as part of the SELinux userspace tools to facilitate the creation of custom SELinux policy modules. It arose from the need to automate the process of analyzing audit logs and translating denials into policy rules. Over time, it has been refined and improved to support various policy formats and options.

ausearch(1), semodule(8), auditd(8)