audit2allow

audit2allow [OPTIONS]

audit2allow generates SELinux policy allow rules from audit logs. It reads denial messages from the audit subsystem and creates type enforcement rules that would permit the denied operations.The tool can produce simple allow rules for quick troubleshooting or generate complete loadable policy modules with the -M option. When used with -R, it generates reference policy using standard macros, producing cleaner and more maintainable rules. It is typically used after audit2why has identified the root cause of denials.

-a, --all

Read input from audit and message logs.

Read input from audit messages since the last boot.

Read input from dmesg output.

Read input from the specified file.

Read only AVC denials since the last policy reload.

Generate module output (source, not packaged).

Generate a loadable policy module package (.pp).

Append output to the given file.

Generate dontaudit rules instead of allow rules.

Generate reference policy using installed interface macros.

Do not generate reference policy; use traditional allow rules.

Translate audit messages into a description of why access was denied.

Fully explain the generated output.

Generate extended permission (ioctl) rules.

Filter output by type regular expression.

Generate CIL (Common Intermediate Language) output.

Generate require statements for loadable modules.

Enable verbose output.

Generated policies should be reviewed before installation. Blindly allowing all denials can create security vulnerabilities. Use audit2why first to understand why denials occurred.

audit2allow is part of policycoreutils-python-utils, providing SELinux policy development tools.

audit2why(1), ausearch(8), semodule(8)