On 03/01/2010 03:45 PM, Daniel J Walsh wrote:
On 03/01/2010 02:29 PM, Karl MacMillan wrote:
I'd rather pass in the rule type to the AVRule init rather than a
boolean about this being a dontaudit rule.
Karl
On Wed, Feb 24, 2010 at 3:20 PM, Daniel J Walsh<dwalsh@xxxxxxxxxx>
wrote:
How about this patch. Moves the dontaudit up the chain a little bit.
Is this what you want.
One minor problem. Updated patch.
diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
index 9186965..1c7d896 100644
--- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow
@@ -58,6 +58,9 @@ class AuditToPolicy:
help="generate a module package - conflicts with -o and -m")
parser.add_option("-o", "--output", dest="output",
help="append output to <filename>, conflicts with -M")
+ parser.add_option("-D", "--dontaudit", action="store_true",
+ dest="dontaudit", default=False,
+ help="generate policy with dontaudit rules")
parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
default=True, help="generate refpolicy style output")
@@ -153,11 +156,11 @@ class AuditToPolicy:
def __process_input(self):
if self.__options.type:
avcfilter = audit.AVCTypeFilter(self.__options.type)
- self.__avs = self.__parser.to_access(avcfilter)
+ self.__avs = self.__parser.to_access(avcfilter, dontaudit=self.__options.dontaudit)
csfilter = audit.ComputeSidTypeFilter(self.__options.type)
self.__role_types = self.__parser.to_role(csfilter)
else:
- self.__avs = self.__parser.to_access()
+ self.__avs = self.__parser.to_access(dontaudit=self.__options.dontaudit)
self.__role_types = self.__parser.to_role()
def __load_interface_info(self):
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index c041f75..d9635c2 100644
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@@ -25,10 +25,10 @@
.TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA
.SH NAME
.BR audit2allow
- \- generate SELinux policy allow rules from logs of denied operations
+\- generate SELinux policy allow/dontaudit rules from logs of denied operations
.BR audit2why
- \- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
+\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
.SH SYNOPSIS
.B audit2allow
@@ -44,6 +44,9 @@ Read input from output of
Note that all audit messages are not available via dmesg when
auditd is running; use "ausearch -m avc | audit2allow" or "-a" instead.
.TP
+.B "\-D" | "\-\-dontaudit"
+Generate dontaudit rules (Default: allow)
+.TP
.B "\-h" | "\-\-help"
Print a short usage message
.TP
diff --git a/sepolgen/src/sepolgen/access.py b/sepolgen/src/sepolgen/access.py
index 71121d7..139f786 100644
--- a/sepolgen/src/sepolgen/access.py
+++ b/sepolgen/src/sepolgen/access.py
@@ -86,6 +86,8 @@ class AccessVector:
self.perms = refpolicy.IdSet()
self.audit_msgs = []
+ self.dontaudit = False
+
# The direction of the information flow represented by this
# access vector - used for matching
self.info_flow_dir = None
@@ -253,7 +255,7 @@ class AccessVectorSet:
for av in l:
self.add_av(AccessVector(av))
- def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None):
+ def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, dontaudit=False):
"""Add an access vector to the set.
"""
tgt = self.src.setdefault(src_type, { })
@@ -266,6 +268,7 @@ class AccessVectorSet:
access.src_type = src_type
access.tgt_type = tgt_type
access.obj_class = obj_class
+ access.dontaudit = dontaudit
cls[obj_class] = access
access.perms.update(perms)
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
index efcc40d..80371d0 100644
--- a/sepolgen/src/sepolgen/audit.py
+++ b/sepolgen/src/sepolgen/audit.py
@@ -424,7 +424,7 @@ class AuditParser:
return role_types
- def to_access(self, avc_filter=None, only_denials=True):
+ def to_access(self, avc_filter=None, only_denials=True, dontaudit=False):
"""Convert the audit logs access into a an access vector set.
Convert the audit logs into an access vector set, optionally
@@ -448,10 +448,10 @@ class AuditParser:
if avc_filter:
if avc_filter.filter(avc):
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
- avc.accesses, avc)
+ avc.accesses, avc, dontaudit=dontaudit)
else:
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
- avc.accesses, avc)
+ avc.accesses, avc, dontaudit=dontaudit)
return av_set
class AVCTypeFilter:
@@ -477,5 +477,3 @@ class ComputeSidTypeFilter:
if self.regex.match(avc.tcontext.type):
return True
return False
-
-
diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py
index b138e3d..782ea3d 100644
--- a/sepolgen/src/sepolgen/refpolicy.py
+++ b/sepolgen/src/sepolgen/refpolicy.py
@@ -449,6 +449,8 @@ class AVRule(Leaf):
self.tgt_types.add(av.tgt_type)
self.obj_classes.add(av.obj_class)
self.perms.update(av.perms)
+ if av.dontaudit:
+ self.rule_type = audit2why.DONTAUDIT
def to_string(self):
"""Return a string representation of the rule