CentOS 7
Sponsored Link

SELinux : Use audit2allow
2016/04/05
 
Using audit2allow command, it's possible to generate SELinux policy allow rules easily from logs of denied operations.
However, audit2allow may allow more access than required, so it's better to configure with restorecon or chcon command in cases.
By the way, if audit2allow does not exist in your System, install with "yum install policycoreutils-python".
[1] Display denial reasons to read log files.
If not specified any log file, audit2allow reads /var/log/audit/audit.log.
If specify log files, set "-i logfile" option instead "-a" option.
# display reason for AVC denials from reading audit.log

[[email protected] ~]#
audit2allow -w -a

type=AVC msg=audit(1460007772.762:55): avc:  denied  { getattr } for  pid=1029 comm="httpd" path="/var/www/html/index.html" 
    dev="dm-0" ino=101186198 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

.....
.....

type=AVC msg=audit(1460007828.479:64): avc:  denied  { getattr } for  pid=1056 comm="httpd" path="/var/www/html/index.html" 
    dev="dm-0" ino=101186198 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

# for example, use ausearch to display specific logs

[[email protected] ~]#
ausearch -m AVC --start 04/05/2016 19:52:00 --end 04/05/2016 19:52:59 | audit2allow -w

type=AVC msg=audit(1460009034.012:76): avc:  denied  { getattr } for  pid=1054 comm="httpd" path="/var/www/html/index.html" 
    dev="dm-0" ino=101186198 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1460009034.013:77): avc:  denied  { getattr } for  pid=1054 comm="httpd" path="/var/www/html/index.html" 
    dev="dm-0" ino=101186198 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

# display required type with -a option

[[email protected] ~]#
ausearch -m AVC --start 04/05/2016 19:52:00 --end 04/05/2016 19:52:59 | audit2allow -a

#============= httpd_t ==============
allow httpd_t admin_home_t:file getattr;
[2] Generate allow rule like follows.
# for example, generate "test_rule" module

[[email protected] ~]#
ausearch -m AVC --start 04/05/2016 19:52:00 --end 04/05/2016 19:52:59 | audit2allow -a -M test_rule

******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i test_rule.pp

# install module with the command displayed above

[[email protected] ~]#
semodule -i test_rule.pp
# make sure the module is loaded

[[email protected] ~]#
semodule -l | grep test_rule

test_rule 1.0
[3] It's OK all in some cases, but for other cases, it's not yet.
For this example, it's impossible to access normally yet like follows.
[[email protected] ~]#
curl http://localhost/index.html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /index.html
on this server.</p>
</body></html>
  The reason is that it's insufficient for httpd_t domain to access to admin_home_t type file with only getattr. In such case, generate rule with audit2allow again.
[[email protected] ~]#
ausearch -m AVC | grep -E 'http|index.html' | audit2allow -a

#============= httpd_t ==============
allow httpd_t admin_home_t:file read;

#!!!! This avc is allowed in the current policy
allow httpd_t admin_home_t:file getattr;
# read right is also required

[[email protected] ~]#
ausearch -m AVC | grep -E 'http|index.html' | audit2allow -a -M test_rule

[[email protected] ~]#
semodule -i test_rule.pp

[[email protected] ~]#
curl http://localhost/index.html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
.....
# cannot access yet

[[email protected] ~]#
ausearch -m AVC | grep -E 'http|index.html' | audit2allow -a

#============= httpd_t ==============
allow httpd_t admin_home_t:file open;

#!!!! This avc is allowed in the current policy
allow httpd_t admin_home_t:file { read getattr };
# open right is also required

[[email protected] ~]#
ausearch -m AVC | grep -E 'http|index.html' | audit2allow -a -M test_rule

[[email protected] ~]#
semodule -i test_rule.pp

[[email protected] ~]#
curl http://localhost/index.html

Test Page    
# accessed finally