7.3.8. Allowing Access: audit2allow
Do not use the example in this section in production. It is used only to demonstrate the use of audit2allow.
From the audit2allow(1) manual page: “audit2allow – generate SELinux policy allow rules from logs of denied operations”. After analyzing denials as per Section 7.3.7, “sealert Messages”, and if no label changes or Booleans allowed access, use audit2allow to create a local policy module. After access is denied by SELinux, running the audit2allow command presents Type Enforcement rules that allow the previously denied access.
The following example demonstrates using audit2allow to create a policy module:
A denial and the associated system call are logged to /var/log/audit/audit.log: