TuXHaT

I have been recently working on Selinux. It was way invented on 1970’s, but it is getting great acceptance as a user space security standard these days.

So I was implementing selinux for my production servers, I can’t go directly with enforcing mode. But stay with permissive mode and watch avc denials from selinux and justify it for it to be allowed / denied. The tiering thing is you need to go through each and every selinux denials from the kernel log facility in syslog. More over one type of denial will be repeated thousands time a day. So I thought of a simple script to unique the duplicate denials. Please see below,

Usage : avc_uniquer.sh <file containing selinux denials>

avc_uniquer.sh

for n in `cat -n $1 | sed  's/\(\ *[[:digit:]]\{1,\}\ *\)\(.*\)\({.*}\)\(.*\)\(scontext.*\)/\1\ \3\ \5/; '|sort -k3|uniq -f 2|awk {'print $1'}`;
do
sed -n "$n p" $1;
done

TIP1:

avc_uniquer.sh <filename>|audit2allow

The above will give you the selinux rules corresponding to the denials.

Eg:

Tue Jul 21 11:11:39 IST 2009$avc_uniquer.sh selinux_denial |audit2allow
allow smbd_t httpd_sys_content_t:dir { add_name create write };
allow smbd_t httpd_sys_content_t:file { create getattr lock read write };

Hope it will be helpful for some