-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch looks good to me. acked. Since I rearranged, I approve. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4nMF4ACgkQrlYvE4MpobMbNwCgip3jIUFReIuJprBzfgtbg5CQ 4MgAn2ffuIbRfkjyInb1ZZJPtar9rAub =8wjI -----END PGP SIGNATURE-----
>From a7be0e4a4533bc1a5ec9224260a56eb288ea1a37 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
Date: Wed, 22 Dec 2010 15:08:33 -0500
Subject: [PATCH 07/93] Rearranged audit2allow.1 to match the newer ways we
use the tool.
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
policycoreutils/audit2allow/audit2allow.1 | 49 ++++++++++++++++++++---------
1 files changed, 34 insertions(+), 15 deletions(-)
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index 6178cc8..fd9eb88 100644
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@@ -1,5 +1,6 @@
.\" Hey, Emacs! This is an -*- nroff -*- source file.
.\" Copyright (c) 2005 Manoj Srivastava <srivasta@xxxxxxxxxx>
+.\" Copyright (c) 2010 Dan Walsh <dwalsh@xxxxxxxxxx>
.\"
.\" This is free documentation; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License as
@@ -22,7 +23,7 @@
.\" USA.
.\"
.\"
-.TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA
+.TH AUDIT2ALLOW "1" "October 2010" "Security Enhanced Linux" NSA
.SH NAME
.BR audit2allow
\- generate SELinux policy allow/dontaudit rules from logs of denied operations
@@ -117,14 +118,6 @@ an 'allow' rule.
.B Please substitute /var/log/messages for /var/log/audit/audit.log in the
.B examples.
.PP
-.B Using audit2allow to generate monolithic (non-module) policy
-$ cd /etc/selinux/$SELINUXTYPE/src/policy
-$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
-$ cat domains/misc/local.te
-allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
-<review domains/misc/local.te and customize as desired>
-$ make load
-
.B Using audit2allow to generate module policy
$ cat /var/log/audit/audit.log | audit2allow -m local > local.te
@@ -132,20 +125,38 @@ $ cat local.te
module local 1.0;
require {
- role system_r;
+ class file { getattr open read };
- class fifo_file { getattr ioctl };
+ type myapp_t;
+ type etc_t;
+ };
- type cupsd_config_t;
- type unconfined_t;
- };
+allow myapp_t etc_t:file { getattr open read };
+<review local.te and customize as desired>
+.B Using audit2allow to generate module policy using reference policy
-allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
+$ cat /var/log/audit/audit.log | audit2allow -R -m local > local.te
+$ cat local.te
+policy_module(local, 1.0)
+
+gen_require(`
+ type myapp_t;
+ type etc_t;
+ };
+
+files_read_etc_files(myapp_t)
<review local.te and customize as desired>
+.B Building module policy using Makefile
+
+# SELinux provides a policy devel environment under /usr/share/selinux/devel
+# You can create a te file and compile it by executing
+$ make -f /usr/share/selinux/devel/Makefile
+$ semodule -i local.pp
+
.B Building module policy manually
# Compile the module
@@ -168,6 +179,14 @@ you are required to execute
semodule -i local.pp
+.B Using audit2allow to generate monolithic (non-module) policy
+$ cd /etc/selinux/$SELINUXTYPE/src/policy
+$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
+$ cat domains/misc/local.te
+allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
+<review domains/misc/local.te and customize as desired>
+$ make load
+
.fi
.PP
.SH AUTHOR
--
1.7.6
Attachment:
0007-Rearranged-audit2allow.1-to-match-the-newer-ways-we-.patch.sig
Description: PGP signature
