The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

audit2allow creating loadable modules

Problem: User reports seeing the following AVC message

type=AVC msg=audit(1138596151.681:104174): avc:  denied  { name_connect } for  pid=23796 comm="spamd" dest=389 scontext=root:system_r:spamd_t tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket

Solution: use audit2allow to build loadable module to fix problem

Generating type enforcment file: spamd.te
Compiling policy: checkmodule -M -m -o spamd.mod spamd.te
semodule_package -o spamd.pp -m spamd.mod
Building package: semodule_package -o spamd.pp -m spamd.mod

******************** IMPORTANT ***********************

In order to load this newly created policy package into the kernel,
you are required to execute

semodule -i spamd.pp

You need to have have the checkpolicy package installed to build policy modules

Audit2allow creates loadable module that looks like:

module spamd 1.0;

require {
role object_r;
role system_r;

class tcp_socket name_connect;

type ldap_port_t;
type spamd_t;
};


allow spamd_t ldap_port_t:tcp_socket name_connect;

semodule -i spamd.pp # Load the module
semodule -r spamd # remove the module
semodule -l # list all loadable modules

Search

SELinux/LoadableModules/Audit2allow

audit2allow creating loadable modules