Red Hat Bugzilla – Bug 427704
revision for "Using audit2allow to Build a Local Policy Module"
Last modified: 2009-08-20 00:17:24 EDT
received via email:
Eric Paris wrote:
> Not sure if you wrote this, can fix this, or know who did/can but I was
> given your name as a place to start.
> in 45.2.1 we use the line:
> [root@host2a ~]# grep setsebool /var/log/audit/audit.log | audit2allow -M
> but there is no promise that in the future the audit subsystem will be
> all text data so grep is a poor choice of tools. Binary data in the
> audit log might happen as so users should be trained to use the audit
> tools to interact with the audit log. A better example would be
> ausearch -m AVC --comm setsebool | audit2allow -M mysemanage
> I'm also not sure how to fix it, because it seemed obvious to me, but
> someone in GSS had trouble following the example because they thought
> that 'setsebool' was what they would type in there every time there was
> an selinux denial they wanted to fix. They didn't realize setsebool was
> only relevant to the example in the doc.
> Maybe expand that example to indicate that ausearch -m AVC will give all
> denial messages and things like --comm can be used to limit the output
> to only programs with a given name. In this specific example we know
> that setsebool is causing denials so we use --comm setsebool to limit
> the output to only setsebool denials.
I think this falls into your domain now. Can you look into this?
David O'Brien <mailto:email@example.com>
Red Hat is #1 in value. Again.
corrected in source, replaced grep-based command with quoted "ausearch" command.
[ddomingo@woo en-US]$ svn commit -m"BZ#427704, grep-based command changed to
Transmitting file data .
Committed revision 922.
will push to live soon. setting bug as MODIFIED.