CentOS 7
Ads

SELinux : Use audit2allow
2016/04/05
 
Using audit2allow command, it's possible to generate SELinux policy allow rules easily from logs of denied operations.
However, audit2allow may allow more access than required, so it's better to configure with restorecon or chcon command in cases.
By the way, if audit2allow does not exist in your System, install with "yum install policycoreutils-python".
[1] Display denial reasons to read log files.
If not specified any log file, audit2allow reads /var/log/audit/audit.log.
If specify log files, set "-i logfile" option instead "-a" option.
# display reason for AVC denials from reading audit.log

[root@dlp ~]#
audit2allow -w -a

type=AVC msg=audit(1460007772.762:55): avc:  denied  { getattr } for  pid=1029 comm="httpd" path="/var/www/html/index.html" 
    dev="dm-0" ino=101186198 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

.....
.....

type=AVC msg=audit(1460007828.479:64): avc:  denied  { getattr } for  pid=1056 comm="httpd" path="/var/www/html/index.html" 
    dev="dm-0" ino=101186198 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

# for example, use ausearch to display specific logs

[root@dlp ~]#
ausearch -m AVC --start 04/05/2016 19:52:00 --end 04/05/2016 19:52:59 | audit2allow -w

type=AVC msg=audit(1460009034.012:76): avc:  denied  { getattr } for  pid=1054 comm="httpd" path="/var/www/html/index.html" 
    dev="dm-0" ino=101186198 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1460009034.013:77): avc:  denied  { getattr } for  pid=1054 comm="httpd" path="/var/www/html/index.html" 
    dev="dm-0" ino=101186198 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

# display required type with -a option

[root@dlp ~]#
ausearch -m AVC --start 04/05/2016 19:52:00 --end 04/05/2016 19:52:59 | audit2allow -a


#============= httpd_t ==============
allow httpd_t admin_home_t:file getattr;
[2] Generate allow rule like follows.
# for example, generate "test_rule" module

[root@dlp ~]#
ausearch -m AVC --start 04/05/2016 19:52:00 --end 04/05/2016 19:52:59 | audit2allow -a -M test_rule

******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i test_rule.pp

# install module with the command displayed above

[root@dlp ~]#
semodule -i test_rule.pp
# make sure the module is loaded

[root@dlp ~]#
semodule -l | grep test_rule

test_rule 1.0
[3] It's OK all in some cases, but for other cases, it's not yet.
For this example, it's impossible to access normally yet like follows.
[root@dlp ~]#
curl http://localhost/index.html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /index.html
on this server.</p>
</body></html>
  The reason is that it's insufficient for httpd_t domain to access to admin_home_t type file with only getattr. In such case, generate rule with audit2allow again.
[root@dlp ~]#
ausearch -m AVC | grep -E 'http|index.html' | audit2allow -a


#============= httpd_t ==============
allow httpd_t admin_home_t:file read;

#!!!! This avc is allowed in the current policy
allow httpd_t admin_home_t:file getattr;
# read right is also required

[root@dlp ~]#
ausearch -m AVC | grep -E 'http|index.html' | audit2allow -a -M test_rule

[root@dlp ~]#
semodule -i test_rule.pp

[root@dlp ~]#
curl http://localhost/index.html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
.....
# cannot access yet

[root@dlp ~]#
ausearch -m AVC | grep -E 'http|index.html' | audit2allow -a


#============= httpd_t ==============
allow httpd_t admin_home_t:file open;

#!!!! This avc is allowed in the current policy
allow httpd_t admin_home_t:file { read getattr };
# open right is also required

[root@dlp ~]#
ausearch -m AVC | grep -E 'http|index.html' | audit2allow -a -M test_rule

[root@dlp ~]#
semodule -i test_rule.pp

[root@dlp ~]#
curl http://localhost/index.html

Test Page    
# accessed finally
 
Tweet