diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow index 9186965..5ad9fdb 100644 --- a/policycoreutils/audit2allow/audit2allow +++ b/policycoreutils/audit2allow/audit2allow @@ -58,6 +58,9 @@ class AuditToPolicy: help="generate a module package - conflicts with -o and -m") parser.add_option("-o", "--output", dest="output", help="append output to , conflicts with -M") + parser.add_option("-D", "--dontaudit", action="store_true", + dest="dontaudit", default=False, + help="generate policy with dontaudit rules") parser.add_option("-R", "--reference", action="store_true", dest="refpolicy", default=True, help="generate refpolicy style output") @@ -295,6 +298,8 @@ class AuditToPolicy: g = policygen.PolicyGenerator() + g.set_gen_dontaudit(self.__options.dontaudit) + if self.__options.module: g.set_module_name(self.__options.module) diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1 index c041f75..d9635c2 100644 --- a/policycoreutils/audit2allow/audit2allow.1 +++ b/policycoreutils/audit2allow/audit2allow.1 @@ -25,10 +25,10 @@ .TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA .SH NAME .BR audit2allow - \- generate SELinux policy allow rules from logs of denied operations +\- generate SELinux policy allow/dontaudit rules from logs of denied operations .BR audit2why - \- translates SELinux audit messages into a description of why the access was denied (audit2allow -w) +\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w) .SH SYNOPSIS .B audit2allow @@ -44,6 +44,9 @@ Read input from output of Note that all audit messages are not available via dmesg when auditd is running; use "ausearch -m avc | audit2allow" or "-a" instead. .TP +.B "\-D" | "\-\-dontaudit" +Generate dontaudit rules (Default: allow) +.TP .B "\-h" | "\-\-help" Print a short usage message .TP diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py index 55cffeb..0e6b502 100644 --- a/sepolgen/src/sepolgen/policygen.py +++ b/sepolgen/src/sepolgen/policygen.py @@ -75,6 +75,8 @@ class PolicyGenerator: else: self.module = refpolicy.Module() + self.dontaudit = False + def set_gen_refpol(self, if_set=None, perm_maps=None): """Set whether reference policy interfaces are generated. @@ -108,6 +110,9 @@ class PolicyGenerator: """ self.explain = explain + def set_gen_dontaudit(self, dontaudit): + self.dontaudit = dontaudit + def __set_module_style(self): if self.ifgen: refpolicy = True @@ -144,6 +149,8 @@ class PolicyGenerator: def __add_allow_rules(self, avs): for av in avs: rule = refpolicy.AVRule(av) + if self.dontaudit: + rule.rule_type = rule.DONTAUDIT if self.explain: rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain)) self.module.children.append(rule)