From: Daniel J Walsh <dwalsh@redhat.com>
To: Karl MacMillan <karlwmacmillan@gmail.com>
Cc: Joshua Brindle <method@manicmethod.com>,
SE Linux <selinux@tycho.nsa.gov>
Subject: Re: Audit2allow generating dontaudit rules.
Date: Mon, 08 Mar 2010 14:33:03 -0500 [thread overview]
Message-ID: <4B9550EF.5020208@redhat.com> (raw)
In-Reply-To: <10143821003080811l32b1243frcb71d7289b74cd37@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 537 bytes --]
On 03/08/2010 11:11 AM, Karl MacMillan wrote:
> Accidentally sent this straight to Josh.
>
> Karl
>
> On Thu, Mar 4, 2010 at 4:46 PM, Karl MacMillan<karlwmacmillan@gmail.com> wrote:
>
>> I meant this - I don't want to pass around a boolean flag when we have
>> a flag for rule type. This allows cleanly adding support for, say,
>> generating both allow rules and auditallow rules at the same time.
>>
>>
<snip>
Ok this one only adds a flag to the policygenerator to tell it to
generate dontaudit rules.
No passing of args.
[-- Attachment #2: audit2allow_dontaudit.patch --]
[-- Type: text/plain, Size: 3286 bytes --]
diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
index 9186965..5ad9fdb 100644
--- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow
@@ -58,6 +58,9 @@ class AuditToPolicy:
help="generate a module package - conflicts with -o and -m")
parser.add_option("-o", "--output", dest="output",
help="append output to <filename>, conflicts with -M")
+ parser.add_option("-D", "--dontaudit", action="store_true",
+ dest="dontaudit", default=False,
+ help="generate policy with dontaudit rules")
parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
default=True, help="generate refpolicy style output")
@@ -295,6 +298,8 @@ class AuditToPolicy:
g = policygen.PolicyGenerator()
+ g.set_gen_dontaudit(self.__options.dontaudit)
+
if self.__options.module:
g.set_module_name(self.__options.module)
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index c041f75..d9635c2 100644
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@@ -25,10 +25,10 @@
.TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA
.SH NAME
.BR audit2allow
- \- generate SELinux policy allow rules from logs of denied operations
+\- generate SELinux policy allow/dontaudit rules from logs of denied operations
.BR audit2why
- \- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
+\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
.SH SYNOPSIS
.B audit2allow
@@ -44,6 +44,9 @@ Read input from output of
Note that all audit messages are not available via dmesg when
auditd is running; use "ausearch -m avc | audit2allow" or "-a" instead.
.TP
+.B "\-D" | "\-\-dontaudit"
+Generate dontaudit rules (Default: allow)
+.TP
.B "\-h" | "\-\-help"
Print a short usage message
.TP
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
index 55cffeb..0e6b502 100644
--- a/sepolgen/src/sepolgen/policygen.py
+++ b/sepolgen/src/sepolgen/policygen.py
@@ -75,6 +75,8 @@ class PolicyGenerator:
else:
self.module = refpolicy.Module()
+ self.dontaudit = False
+
def set_gen_refpol(self, if_set=None, perm_maps=None):
"""Set whether reference policy interfaces are generated.
@@ -108,6 +110,9 @@ class PolicyGenerator:
"""
self.explain = explain
+ def set_gen_dontaudit(self, dontaudit):
+ self.dontaudit = dontaudit
+
def __set_module_style(self):
if self.ifgen:
refpolicy = True
@@ -144,6 +149,8 @@ class PolicyGenerator:
def __add_allow_rules(self, avs):
for av in avs:
rule = refpolicy.AVRule(av)
+ if self.dontaudit:
+ rule.rule_type = rule.DONTAUDIT
if self.explain:
rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
self.module.children.append(rule)
next prev parent reply other threads:[~2010-03-08 19:33 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-24 20:20 Audit2allow generating dontaudit rules Daniel J Walsh
2010-03-01 19:29 ` Karl MacMillan
2010-03-01 20:02 ` Daniel J Walsh
2010-03-01 20:45 ` Daniel J Walsh
2010-03-01 21:47 ` Daniel J Walsh
2010-03-04 17:08 ` Joshua Brindle
[not found] ` <10143821003041346o6903d2bbw49863b44d05a2a8c@mail.gmail.com>
2010-03-08 16:11 ` Karl MacMillan
2010-03-08 16:50 ` Joshua Brindle
2010-03-08 17:00 ` Karl MacMillan
2010-03-08 19:33 ` Daniel J Walsh [this message]
2010-03-08 20:44 ` Karl MacMillan
2010-03-12 13:33 ` Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B9550EF.5020208@redhat.com \
--to=dwalsh@redhat.com \
--cc=karlwmacmillan@gmail.com \
--cc=method@manicmethod.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.