* This patch allows audit2allow to look at all avc's since the last time the machine booted.
@ 2010-03-12 17:58 Daniel J Walsh
2010-03-12 19:37 ` Karl MacMillan
2010-03-18 20:52 ` Joshua Brindle
0 siblings, 2 replies; 3+ messages in thread
From: Daniel J Walsh @ 2010-03-12 17:58 UTC (permalink / raw)
To: SELinux
[-- Attachment #1: Type: text/plain, Size: 1 bytes --]
[-- Attachment #2: audit2allow_boot.patch --]
[-- Type: text/plain, Size: 3828 bytes --]
diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
index 5ad9fdb..5435e9d 100644
--- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow
@@ -42,6 +42,8 @@ class AuditToPolicy:
from optparse import OptionParser
parser = OptionParser(version=self.VERSION)
+ parser.add_option("-b", "--boot", action="store_true", dest="boot", default=False,
+ help="audit messages since last boot conflicts with -i")
parser.add_option("-a", "--all", action="store_true", dest="audit", default=False,
help="read input from audit log - conflicts with -i")
parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
@@ -83,11 +85,11 @@ class AuditToPolicy:
options, args = parser.parse_args()
# Make -d, -a, and -i conflict
- if options.audit is True:
+ if options.audit is True or options.boot:
if options.input is not None:
- sys.stderr.write("error: --all conflicts with --input\n")
+ sys.stderr.write("error: --all/--boot conflicts with --input\n")
if options.dmesg is True:
- sys.stderr.write("error: --all conflicts with --dmesg\n")
+ sys.stderr.write("error: --all/--boot conflicts with --dmesg\n")
if options.input is not None and options.dmesg is True:
sys.stderr.write("error: --input conflicts with --dmesg\n")
@@ -132,6 +134,12 @@ class AuditToPolicy:
except OSError, e:
sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
sys.exit(1)
+ elif self.__options.boot:
+ try:
+ messages = audit.get_audit_boot_msgs()
+ except OSError, e:
+ sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
+ sys.exit(1)
else:
# This is the default if no input is specified
f = sys.stdin
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index d9635c2..6178cc8 100644
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@@ -38,6 +38,9 @@
.B "\-a" | "\-\-all"
Read input from audit and message log, conflicts with -i
.TP
+.B "\-b" | "\-\-boot"
+Read input from audit messages since last boot conflicts with -i
+.TP
.B "\-d" | "\-\-dmesg"
Read input from output of
.I /bin/dmesg.
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
index efcc40d..24e308e 100644
--- a/sepolgen/src/sepolgen/audit.py
+++ b/sepolgen/src/sepolgen/audit.py
@@ -23,6 +23,27 @@ import re
# Convenience functions
+def get_audit_boot_msgs():
+ """Obtain all of the avc and policy load messages from the audit
+ log. This function uses ausearch and requires that the current
+ process have sufficient rights to run ausearch.
+
+ Returns:
+ string contain all of the audit messages returned by ausearch.
+ """
+ import subprocess
+ import time
+ fd=open("/proc/uptime", "r")
+ off=float(fd.read().split()[0])
+ fd.close
+ s = time.localtime(time.time() - off)
+ date = time.strftime("%D/%Y", s).split("/")
+ bootdate="%s/%s/%s" % (date[0], date[1], date[3])
+ boottime = time.strftime("%X", s)
+ output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime],
+ stdout=subprocess.PIPE).communicate()[0]
+ return output
+
def get_audit_msgs():
"""Obtain all of the avc and policy load messages from the audit
log. This function uses ausearch and requires that the current
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: This patch allows audit2allow to look at all avc's since the last time the machine booted.
2010-03-12 17:58 This patch allows audit2allow to look at all avc's since the last time the machine booted Daniel J Walsh
@ 2010-03-12 19:37 ` Karl MacMillan
2010-03-18 20:52 ` Joshua Brindle
1 sibling, 0 replies; 3+ messages in thread
From: Karl MacMillan @ 2010-03-12 19:37 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
On Fri, Mar 12, 2010 at 12:58 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
>
>
Acked-by: Karl MacMillan <kmacmillan@tresys.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: This patch allows audit2allow to look at all avc's since the last time the machine booted.
2010-03-12 17:58 This patch allows audit2allow to look at all avc's since the last time the machine booted Daniel J Walsh
2010-03-12 19:37 ` Karl MacMillan
@ 2010-03-18 20:52 ` Joshua Brindle
1 sibling, 0 replies; 3+ messages in thread
From: Joshua Brindle @ 2010-03-18 20:52 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
Merged in sepolgen 1.0.21
Daniel J Walsh wrote:
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-03-18 20:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-03-12 17:58 This patch allows audit2allow to look at all avc's since the last time the machine booted Daniel J Walsh
2010-03-12 19:37 ` Karl MacMillan
2010-03-18 20:52 ` Joshua Brindle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.