SELinux : audit2allow Basic Usage2025/01/02

Using [audit2allow] command, it's possible to generate SELinux policy allow rules easily from logs of denied operations.

However, [audit2allow] may allow more access than required, so it's better to configure with [restorecon] or [chcon] command in cases.

By the way, if [audit2allow] is none on your System, Install with [dnf install policycoreutils-python-utils].

[1]

Display denial reasons to read log files.
If not specified any log file, audit2allow reads [/var/log/audit/audit.log].
If specify log files, set [-i logfile] option instead [-a] option.

# display reason for AVC denials from reading audit.log

[root@dlp ~]#

audit2allow -w -a

type=AVC msg=audit(1735792319.628:274): avc:  denied  { write } for  pid=2398 comm="smbd[10.0.0.212" name="share" dev="dm-0" ino=16990672 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
        Was caused by:
        One of the following booleans was set incorrectly.
        Description:
        Allow samba to enable home dirs

        Allow access by executing:
        # setsebool -P samba_enable_home_dirs 1
        Description:
        Allow samba to export all rw

        Allow access by executing:
        # setsebool -P samba_export_all_rw 1
.....
.....

# for example, use ausearch to display specific logs

[root@dlp ~]#

ausearch -m AVC --start 01/01/2025 12:00:00 --end 01/02/2025 18:00:00 | audit2allow -w

type=AVC msg=audit(1735792319.628:274): avc:  denied  { write } for  pid=2398 comm="smbd[10.0.0.212" name="share" dev="dm-0" ino=16990672 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0

        Was caused by:
        One of the following booleans was set incorrectly.
        Description:
        Allow samba to enable home dirs

        Allow access by executing:
        # setsebool -P samba_enable_home_dirs 1
        Description:
        Allow samba to export all rw

        Allow access by executing:
        # setsebool -P samba_export_all_rw 1
.....
.....

# display required type with -a option

[root@dlp ~]#

ausearch -m AVC --start 01/01/2025 12:00:00 --end 01/02/2025 18:00:00 | audit2allow -a


#============= httpd_t ==============
allow httpd_t reserved_port_t:tcp_socket name_bind;

#============= smbd_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     samba_enable_home_dirs, samba_export_all_rw
allow smbd_t user_home_dir_t:dir write;

[2]	Generate allow rule like follows.

# for example, generate [test_rule] module

[root@dlp ~]#

ausearch -m AVC --start 01/01/2025 12:00:00 --end 01/02/2025 18:00:00 | audit2allow -a -M test_rule

******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i test_rule.pp

# install module with the command displayed above

[root@dlp ~]#

semodule -i test_rule.pp

# make sure the module is loaded

[root@dlp ~]#

semodule -l | grep test_rule

test_rule

That's OK in some cases, but for other cases, it's not yet.
If not yet, run [audit2allow] again and make sure the causes.

Matched Content