On 03/08/2010 11:11 AM, Karl MacMillan wrote:
Accidentally sent this straight to Josh.
Karl
On Thu, Mar 4, 2010 at 4:46 PM, Karl MacMillan<karlwmacmillan@xxxxxxxxx> wrote:
I meant this - I don't want to pass around a boolean flag when we have
a flag for rule type. This allows cleanly adding support for, say,
generating both allow rules and auditallow rules at the same time.
<snip>
Ok this one only adds a flag to the policygenerator to tell it to
generate dontaudit rules.
No passing of args.
diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
index 9186965..5ad9fdb 100644
--- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow
@@ -58,6 +58,9 @@ class AuditToPolicy:
help="generate a module package - conflicts with -o and -m")
parser.add_option("-o", "--output", dest="output",
help="append output to <filename>, conflicts with -M")
+ parser.add_option("-D", "--dontaudit", action="store_true",
+ dest="dontaudit", default=False,
+ help="generate policy with dontaudit rules")
parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
default=True, help="generate refpolicy style output")
@@ -295,6 +298,8 @@ class AuditToPolicy:
g = policygen.PolicyGenerator()
+ g.set_gen_dontaudit(self.__options.dontaudit)
+
if self.__options.module:
g.set_module_name(self.__options.module)
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index c041f75..d9635c2 100644
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@@ -25,10 +25,10 @@
.TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA
.SH NAME
.BR audit2allow
- \- generate SELinux policy allow rules from logs of denied operations
+\- generate SELinux policy allow/dontaudit rules from logs of denied operations
.BR audit2why
- \- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
+\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
.SH SYNOPSIS
.B audit2allow
@@ -44,6 +44,9 @@ Read input from output of
Note that all audit messages are not available via dmesg when
auditd is running; use "ausearch -m avc | audit2allow" or "-a" instead.
.TP
+.B "\-D" | "\-\-dontaudit"
+Generate dontaudit rules (Default: allow)
+.TP
.B "\-h" | "\-\-help"
Print a short usage message
.TP
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
index 55cffeb..0e6b502 100644
--- a/sepolgen/src/sepolgen/policygen.py
+++ b/sepolgen/src/sepolgen/policygen.py
@@ -75,6 +75,8 @@ class PolicyGenerator:
else:
self.module = refpolicy.Module()
+ self.dontaudit = False
+
def set_gen_refpol(self, if_set=None, perm_maps=None):
"""Set whether reference policy interfaces are generated.
@@ -108,6 +110,9 @@ class PolicyGenerator:
"""
self.explain = explain
+ def set_gen_dontaudit(self, dontaudit):
+ self.dontaudit = dontaudit
+
def __set_module_style(self):
if self.ifgen:
refpolicy = True
@@ -144,6 +149,8 @@ class PolicyGenerator:
def __add_allow_rules(self, avs):
for av in avs:
rule = refpolicy.AVRule(av)
+ if self.dontaudit:
+ rule.rule_type = rule.DONTAUDIT
if self.explain:
rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
self.module.children.append(rule)
