* Rearranged audit2allow.1 to match the newer ways we use the tool.
@ 2010-12-22 20:08 Daniel J Walsh
0 siblings, 0 replies; only message in thread
From: Daniel J Walsh @ 2010-12-22 20:08 UTC (permalink / raw)
To: 'Chad Sellers', SELinux
[-- Attachment #1: Type: text/plain, Size: 0 bytes --]
[-- Attachment #2: audit2allow_man.patch --]
[-- Type: text/plain, Size: 2964 bytes --]
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index 6178cc8..b6f386d 100644
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@@ -1,5 +1,6 @@
.\" Hey, Emacs! This is an -*- nroff -*- source file.
.\" Copyright (c) 2005 Manoj Srivastava <srivasta@debian.org>
+.\" Copyright (c) 2010 Dan Walsh <dwalsh@redhat.com>
.\"
.\" This is free documentation; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License as
@@ -22,7 +23,7 @@
.\" USA.
.\"
.\"
-.TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA
+.TH AUDIT2ALLOW "1" "October 2010" "Security Enhanced Linux" NSA
.SH NAME
.BR audit2allow
\- generate SELinux policy allow/dontaudit rules from logs of denied operations
@@ -117,14 +121,6 @@ an 'allow' rule.
.B Please substitute /var/log/messages for /var/log/audit/audit.log in the
.B examples.
.PP
-.B Using audit2allow to generate monolithic (non-module) policy
-$ cd /etc/selinux/$SELINUXTYPE/src/policy
-$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
-$ cat domains/misc/local.te
-allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
-<review domains/misc/local.te and customize as desired>
-$ make load
-
.B Using audit2allow to generate module policy
$ cat /var/log/audit/audit.log | audit2allow -m local > local.te
@@ -132,20 +128,38 @@ $ cat local.te
module local 1.0;
require {
- role system_r;
+ class file { getattr open read };
- class fifo_file { getattr ioctl };
+ type myapp_t;
+ type etc_t;
+ };
- type cupsd_config_t;
- type unconfined_t;
- };
+allow myapp_t etc_t:file { getattr open read };
+<review local.te and customize as desired>
+.B Using audit2allow to generate module policy using reference policy
-allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
+$ cat /var/log/audit/audit.log | audit2allow -R -m local > local.te
+$ cat local.te
+policy_module(local, 1.0)
+
+gen_require(`
+ type myapp_t;
+ type etc_t;
+ };
+
+files_read_etc_files(myapp_t)
<review local.te and customize as desired>
+.B Building module policy using Makefile
+
+# SELinux provides a policy devel environment under /usr/share/selinux/devel
+# You can create a te file and compile it by executing
+$ make -f /usr/share/selinux/devel/Makefile
+$ semodule -i local.pp
+
.B Building module policy manually
# Compile the module
@@ -168,6 +182,14 @@ you are required to execute
semodule -i local.pp
+.B Using audit2allow to generate monolithic (non-module) policy
+$ cd /etc/selinux/$SELINUXTYPE/src/policy
+$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
+$ cat domains/misc/local.te
+allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
+<review domains/misc/local.te and customize as desired>
+$ make load
+
.fi
.PP
.SH AUTHOR
[-- Attachment #3: audit2allow_man.patch.sig --]
[-- Type: application/pgp-signature, Size: 72 bytes --]
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2010-12-22 20:08 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-12-22 20:08 Rearranged audit2allow.1 to match the newer ways we use the tool Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.