LinuxCommandLibrary

audit2allow

Create SELinux policy modules from audit logs

TLDR

Generate allow rules from recent audit denials and display them

$ sudo audit2allow [[-a|--all]]
copy

Generate allow rules from a specific audit log file
$ sudo audit2allow [[-i|--input]] [path/to/audit.log]
copy

Generate a policy module from recent audit denials
$ sudo audit2allow [[-a|--all]] [[-M|--module]] [module_name]
copy

Explain why SELinux denials occurred (same as audit2why)
$ sudo audit2allow [[-a|--all]] --why
copy

Display detailed information around generated messages
$ sudo audit2allow [[-a|--all]] [[-e|--explain]]
copy

Use installed macros to generate a reference policy
$ sudo audit2allow [[-a|--all]] [[-R|--reference]]
copy

Generate allow rules for a specific service
$ sudo ausearch [[-m|--message]] avc [[-c|--comm]] [service_name] | audit2allow [[-M|--module]] [policy_name]
copy

Enable verbose output mode
$ sudo audit2allow [[-a|--all]] [[-v|--verbose]]
copy

SYNOPSIS

audit2allow [options] [input-file]

PARAMETERS

-a, --all
    Read AVC denials from /var/log/audit/audit.log (default if no input).

-i INPUT, --input=INPUT
    Specify input file for denial logs.

-o OUTPUT, --output=OUTPUT
    Write generated rules to OUTPUT file.

-M MODULENAME
    Build loadable policy module MODULENAME (.te and .pp files).

-m NAME
    Use NAME for rule identifiers in output.

-N, --dontaudit
    Generate dontaudit rules instead of allow.

-R, --requires
    Add require statements for types/interfaces.

-r, --reference
    Output in reference policy rule format.

-w, --warnings
    Display warning messages about rules.

-d, --debug
    Enable debug output for troubleshooting.

-V, --version
    Print version information.

-h, --help
    Show usage help.

DESCRIPTION

audit2allow is a command-line tool in the SELinux ecosystem, part of the policycoreutils package. It processes SELinux audit logs containing Access Vector Cache (AVC) denial messages and automatically generates corresponding allow rules for SELinux policy. These rules permit the previously denied actions, helping administrators quickly create custom policy modules without manually crafting rules.

Typically used during SELinux troubleshooting, it reads denials from /var/log/audit/audit.log or specified files, analyzes the source type, target type, class, and permissions involved, then outputs policy language statements. Users can review, refine, and apply these rules via semodule.

The tool supports generating loadable modules (-M), dontaudit rules (-N), or reference policy formats. It's invaluable for policy development but requires caution: auto-generated rules may over-allow access, potentially compromising security. Always validate output before loading.

Common workflow: audit2allow -a -M mymodule creates mymodule.te and mymodule.pp; then semodule -i mymodule.pp.

CAVEATS

Auto-generated rules may grant excessive permissions; always review before applying with semodule. Only handles AVC denials, ignores other audit events. Not for production without validation. Disabling SELinux is insecure alternative.

EXAMPLE USAGE

audit2allow -a > local.rules
audit2allow -a -M myfix (creates myfix.te, myfix.pp)
semodule -i myfix.pp

HISTORY

Developed by NSA for SELinux (circa 2000-2003), included in policycoreutils since early versions. Evolved with SELinux policy improvements; current in Fedora/RHEL distributions.

SEE ALSO

ausearch(1), audit2why(1), sepolicy(8), semodule(8), selinuxenabled(1)

Copied to clipboard