Install audit2allow Centos

audit2allow – generate SELinux policy allow rules from logs of denied operations.

yum provides audit2allow

As you may know, to install that package run:
yum install policycoreutils-python

The following example demonstrates using audit2allow to create a policy module.
Run the audit2allow -a command to view the Type Enforcement rule that allows the denied access.

To use the rule displayed by audit2allow -a, run the audit2allow -a -M mycertwatch command as the Linux root user to create custom module. The -M option creates a Type Enforcement file (.te) with the name specified with -M, in your current working directory.

Also, audit2allow compiles the Type Enforcement rule into a policy package (.pp). To install the module, run the semodule -i mycertwatch.pp command as the Linux root user.


If you have multiple denials from multiple processes, but only want to create a custom policy for a single process, use the grep command to narrow down the input for audit2allow. The following example demonstrates using grep to only send denials related to certwatch through audit2allow:
~]# grep certwatch /var/log/audit/audit.log | audit2allow -M mycertwatch2
******************** IMPORTANT ***********************
To make this policy package active, execute:
~]# semodule -i mycertwatch2.pp