Bug 427704 - revision for "Using audit2allow to Build a Local Policy Module"
revision for "Using audit2allow to Build a Local Policy Module"
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: Deployment_Guide (Show other bugs)
5.1
All Linux
low Severity low
: rc
: ---
Assigned To: Don Domingo
Content Services Development
: Documentation
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-06 18:02 EST by Don Domingo
Modified: 2009-08-20 00:17 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-14 20:27:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Don Domingo 2008-01-06 18:02:37 EST
received via email:
Eric Paris wrote:
>
http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/sec-sel-building-policy-module.html
>
> Not sure if you wrote this, can fix this, or know who did/can but I was
> given your name as a place to start.
>
> in 45.2.1 we use the line:
> [root@host2a ~]#  grep setsebool /var/log/audit/audit.log  | audit2allow -M
mysemanage
>
> but there is no promise that in the future the audit subsystem will be
> all text data so grep is a poor choice of tools.  Binary data in the
> audit log might happen as so users should be trained to use the audit
> tools to interact with the audit log.  A better example would be
>
> ausearch -m AVC --comm setsebool | audit2allow -M mysemanage
>
> I'm also not sure how to fix it, because it seemed obvious to me, but
> someone in GSS had trouble following the example because they thought
> that 'setsebool' was what they would type in there every time there was
> an selinux denial they wanted to fix.  They didn't realize setsebool was
> only relevant to the example in the doc.
>
> Maybe expand that example to indicate that ausearch -m AVC will give all
> denial messages and things like --comm can be used to limit the output
> to only programs with a given name.  In this specific example we know
> that setsebool is causing denials so we use --comm setsebool to limit
> the output to only setsebool denials.
>
> -Eric
>
>   
Hi Don
I think this falls into your domain now. Can you look into this?

cheers

-- 

David O'Brien <mailto:daobrien@redhat.com>
RHCT

Red Hat is #1 in value. Again.
http://apac.redhat.com/promo/vendor/
Comment 1 Don Domingo 2008-01-06 18:06:40 EST
corrected in source, replaced grep-based command with quoted "ausearch" command.

****
[ddomingo@woo en-US]$ svn commit -m"BZ#427704, grep-based command changed to
ausearch" SELinux_Policy_Customizing.xml
Sending        SELinux_Policy_Customizing.xml
Transmitting file data .
Committed revision 922.
****

will push to live soon. setting bug as MODIFIED.

Note You need to log in before you can comment on or make changes to this bug.