This patch allows audit2allow to look at all avc's since the last time the machine booted.

[Daniel J Walsh <dwalsh@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 1 bytes --]



[-- Attachment #2: audit2allow_boot.patch --]
[-- Type: text/plain, Size: 3828 bytes --]

diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
index 5ad9fdb..5435e9d 100644
--- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow
@@ -42,6 +42,8 @@ class AuditToPolicy:
         from optparse import OptionParser
 
         parser = OptionParser(version=self.VERSION)
+        parser.add_option("-b", "--boot", action="store_true", dest="boot", default=False,
+                          help="audit messages since last boot conflicts with -i")
         parser.add_option("-a", "--all", action="store_true", dest="audit", default=False,
                           help="read input from audit log - conflicts with -i")
         parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
@@ -83,11 +85,11 @@ class AuditToPolicy:
         options, args = parser.parse_args()
 
         # Make -d, -a, and -i conflict
-        if options.audit is True:
+        if options.audit is True or options.boot:
             if options.input is not None:
-                sys.stderr.write("error: --all conflicts with --input\n")
+                sys.stderr.write("error: --all/--boot conflicts with --input\n")
             if options.dmesg is True:
-                sys.stderr.write("error: --all conflicts with --dmesg\n")
+                sys.stderr.write("error: --all/--boot conflicts with --dmesg\n")
         if options.input is not None and options.dmesg is True:
             sys.stderr.write("error: --input conflicts with --dmesg\n")
 
@@ -132,6 +134,12 @@ class AuditToPolicy:
             except OSError, e:
                 sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
                 sys.exit(1)
+        elif self.__options.boot:
+            try:
+                messages = audit.get_audit_boot_msgs()
+            except OSError, e:
+                sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
+                sys.exit(1)
         else:
             # This is the default if no input is specified
             f = sys.stdin
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index d9635c2..6178cc8 100644
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@@ -38,6 +38,9 @@
 .B "\-a" | "\-\-all"
 Read input from audit and message log, conflicts with -i
 .TP
+.B "\-b" | "\-\-boot"
+Read input from audit messages since last boot conflicts with -i
+.TP
 .B "\-d" | "\-\-dmesg"
 Read input from output of 
 .I /bin/dmesg.
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
index efcc40d..24e308e 100644
--- a/sepolgen/src/sepolgen/audit.py
+++ b/sepolgen/src/sepolgen/audit.py
@@ -23,6 +23,27 @@ import re
 
 # Convenience functions
 
+def get_audit_boot_msgs():
+    """Obtain all of the avc and policy load messages from the audit
+    log. This function uses ausearch and requires that the current
+    process have sufficient rights to run ausearch.
+
+    Returns:
+       string contain all of the audit messages returned by ausearch.
+    """
+    import subprocess
+    import time
+    fd=open("/proc/uptime", "r")
+    off=float(fd.read().split()[0])
+    fd.close
+    s = time.localtime(time.time() - off)
+    date = time.strftime("%D/%Y", s).split("/")
+    bootdate="%s/%s/%s" % (date[0], date[1], date[3])
+    boottime = time.strftime("%X", s)
+    output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime],
+                              stdout=subprocess.PIPE).communicate()[0]
+    return output
+
 def get_audit_msgs():
     """Obtain all of the avc and policy load messages from the audit
     log. This function uses ausearch and requires that the current