diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
index 9186965..0b95071 100644
--- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow
@@ -46,6 +46,9 @@ class AuditToPolicy:
help="read input from audit log - conflicts with -i")
parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
help="read input from dmesg - conflicts with --all and --input")
+ parser.add_option("-D", "--dontaudit", action="store_true",
+ dest="dontaudit", default=False,
+ help="generate dontaudit rules")
parser.add_option("-i", "--input", dest="input",
help="read input from <input> - conflicts with -a")
parser.add_option("-l", "--lastreload", action="store_true", dest="lastreload", default=False,
@@ -314,7 +317,7 @@ class AuditToPolicy:
g.set_gen_requires(True)
# Generate the policy
- g.add_access(self.__avs)
+ g.add_access(self.__avs, self.__options.dontaudit)
g.add_role_types(self.__role_types)
# Output
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index c041f75..d9635c2 100644
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@@ -25,10 +25,10 @@
.TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA
.SH NAME
.BR audit2allow
- \- generate SELinux policy allow rules from logs of denied operations
+\- generate SELinux policy allow/dontaudit rules from logs of denied operations
.BR audit2why
- \- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
+\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
.SH SYNOPSIS
.B audit2allow
@@ -44,6 +44,9 @@ Read input from output of
Note that all audit messages are not available via dmesg when
auditd is running; use "ausearch -m avc | audit2allow" or "-a" instead.
.TP
+.B "\-D" | "\-\-dontaudit"
+Generate dontaudit rules (Default: allow)
+.TP
.B "\-h" | "\-\-help"
Print a short usage message
.TP
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
index 55cffeb..52ca4b4 100644
--- a/sepolgen/src/sepolgen/policygen.py
+++ b/sepolgen/src/sepolgen/policygen.py
@@ -141,15 +141,15 @@ class PolicyGenerator:
"""Return the generated module"""
return self.module
- def __add_allow_rules(self, avs):
+ def __add_allow_rules(self, avs, dontaudit):
for av in avs:
- rule = refpolicy.AVRule(av)
+ rule = refpolicy.AVRule(av, dontaudit=dontaudit)
if self.explain:
rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
self.module.children.append(rule)
- def add_access(self, av_set):
+ def add_access(self, av_set, dontaudit=False):
"""Add the access from the access vector set to this
module.
"""
@@ -165,7 +165,7 @@ class PolicyGenerator:
raw_allow = av_set
# Generate the raw allow rules from the filtered list
- self.__add_allow_rules(raw_allow)
+ self.__add_allow_rules(raw_allow, dontaudit)
def add_role_types(self, role_type_set):
for role_type in role_type_set:
diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py
index b138e3d..f2cf057 100644
--- a/sepolgen/src/sepolgen/refpolicy.py
+++ b/sepolgen/src/sepolgen/refpolicy.py
@@ -420,13 +420,16 @@ class AVRule(Leaf):
AUDITALLOW = 2
NEVERALLOW = 3
- def __init__(self, av=None, parent=None):
+ def __init__(self, av=None, parent=None, dontaudit=False):
Leaf.__init__(self, parent)
self.src_types = IdSet()
self.tgt_types = IdSet()
self.obj_classes = IdSet()
self.perms = IdSet()
- self.rule_type = self.ALLOW
+ if dontaudit:
+ self.rule_type = self.DONTAUDIT
+ else:
+ self.rule_type = self.ALLOW
if av:
self.from_av(av)
