tldr/pages/linux/audit2allow.md

# audit2allow

> Create an SELinux local policy module to allow rules based on denied operations found in logs.
> Note: Use audit2allow with caution. Always review the generated policy before applying it, as it may allow excessive access.
> More information: <https://manned.org/audit2allow>.

- Generate a local policy to allow access for all denied services:

`sudo audit2allow {{[-a|--all]}} -M {{local_policy_name}}`

- Generate a local policy module to grant access to a specific process/service/command from the audit logs:

`sudo grep {{apache2}} /var/log/audit/audit.log | sudo audit2allow -M {{local_policy_name}}`

- Inspect and review the Type Enforcement (.te) file for a local policy:

`vim {{local_policy_name}}.te`

- Install a local policy module:

`sudo semodule {{[-i|--install]}} {{local_policy_name}}.pp`
audit2allow: add page (#13612) * audit2allow: add page * audit2allow: fix man page link * audit2allow: add a caution note and separate the install example --------- Co-authored-by: Wiktor Perskawiec <git@spageektti.cc> 2024-09-08 13:57:12 +01:00			`# audit2allow`

			`> Create an SELinux local policy module to allow rules based on denied operations found in logs.`
pages/*: replace dashes with hyphen (#15447) 2025-01-06 04:58:55 +08:00			`> Note: Use audit2allow with caution. Always review the generated policy before applying it, as it may allow excessive access.`
audit2allow: add page (#13612) * audit2allow: add page * audit2allow: fix man page link * audit2allow: add a caution note and separate the install example --------- Co-authored-by: Wiktor Perskawiec <git@spageektti.cc> 2024-09-08 13:57:12 +01:00			`> More information: <https://manned.org/audit2allow>.`

			`- Generate a local policy to allow access for all denied services:`

linux/: add option placeholders (#16192) batch1 * batch2 * batch3 * batch4 * Update matchpathcon.md * Update pages/linux/arecord.md Co-authored-by: Lena <126529524+acuteenvy@users.noreply.github.com> * Update pages/linux/arecord.md Co-authored-by: Lena <126529524+acuteenvy@users.noreply.github.com> * Update pages/linux/arecord.md Co-authored-by: Wiktor Perskawiec <git@spageektti.cc> --------- Co-authored-by: Lena <126529524+acuteenvy@users.noreply.github.com> Co-authored-by: Wiktor Perskawiec <git@spageektti.cc> 2025-04-20 00:21:53 +03:00			`sudo audit2allow {{[-a\|--all]}} -M {{local_policy_name}}`
audit2allow: add page (#13612) * audit2allow: add page * audit2allow: fix man page link * audit2allow: add a caution note and separate the install example --------- Co-authored-by: Wiktor Perskawiec <git@spageektti.cc> 2024-09-08 13:57:12 +01:00
			`- Generate a local policy module to grant access to a specific process/service/command from the audit logs:`

			`sudo grep {{apache2}} /var/log/audit/audit.log \| sudo audit2allow -M {{local_policy_name}}`

			`- Inspect and review the Type Enforcement (.te) file for a local policy:`

			`vim {{local_policy_name}}.te`

			`- Install a local policy module:`

linux/: add option placeholders (#16192) batch1 * batch2 * batch3 * batch4 * Update matchpathcon.md * Update pages/linux/arecord.md Co-authored-by: Lena <126529524+acuteenvy@users.noreply.github.com> * Update pages/linux/arecord.md Co-authored-by: Lena <126529524+acuteenvy@users.noreply.github.com> * Update pages/linux/arecord.md Co-authored-by: Wiktor Perskawiec <git@spageektti.cc> --------- Co-authored-by: Lena <126529524+acuteenvy@users.noreply.github.com> Co-authored-by: Wiktor Perskawiec <git@spageektti.cc> 2025-04-20 00:21:53 +03:00			`sudo semodule {{[-i\|--install]}} {{local_policy_name}}.pp`