Enable all AVC denial messages



In certain situations, AVC denials may not be logged when SELinux denies access. Applications and system library functions often probe for more access than required to perform their tasks. To maintain least privilege without filling audit logs with AVC denials for harmless application probing, the policy can silence AVC denials without allowing a permission by using dontaudit rules. These rules are common in standard policy. The downside of dontaudit is that, although SELinux denies access, denial messages are not logged, making troubleshooting more difficult.

# semodule -DB

Install policycoreutils-python

This provides the audit2allow program which makes it easy to create new type enforcement and policy package files.

 policycoreutils-python           x86_64           2.0.83-24.el6            base           436 k
Installing for dependencies:
 audit-libs-python                x86_64           2.3.7-5.el6              base            62 k
 libselinux-python                x86_64           2.0.94-5.8.el6           base           203 k
 libsemanage-python               x86_64           2.0.43-5.1.el6           base            81 k
 setools-libs                     x86_64           3.3.7-4.el6              base           400 k

 setools-libs-python              x86_64           3.3.7-4.el6              base           222 k

Look for avc denied messages in /var/log/audit/audit.log

You can use either of the following commands to output logged avc denial messages:

# cat /var/log/audit/audit.log | audit2why


# audit2allow -w -a


type=AVC msg=audit(1442883367.679:57): avc:  denied  { write } for  pid=2668 comm="glusterd" name="glusterd.socket" dev=sda1 ino=262253 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file

Put that line into a file and then you can give the file as input to auditallow.

# cat se01-write-glusterd | audit2allow -M se01-write-glusterd

This creates two files:


The .pp file is binary but the .te file is an ascii file:

# cat se01-write-glusterd.te

module se01-write-glusterd 1.0;

require {
        type var_run_t;
        type glusterd_t;
        class sock_file write;

#============= glusterd_t ==============
allow glusterd_t var_run_t:sock_file write;

You can install the new .pp policy package by running

# semodule -i se01-write-glusterd.pp

If you only have the type enforcement file (e.g. se01-write-glusterd.te) or
the description of the type enforcement, you can compile it as follows:

# checkmodule -M -m -o se01-write-glusterd.mod se01-write-glusterd.te 
# semodule_package -m se01-write-glusterd.mod -o se01-write-glusterd.pp