Skip to content

A Python script that auto-generates SELinux modules from deny messages

License

Notifications You must be signed in to change notification settings

christopher-conley/lazy_selinux

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

lazy_selinux

This is a Python script that auto-generates SELinux modules for policy denials found in /var/log/messages

Run the script once to generate a config file at:

~/.automation/python/config/lazy_selinux/lazy_selinux.yml

Edit the config file to adjust email details (sender, smtp server, etc), and then run it again to generate modules, should any modules need creation. The script expects the SMTP password to be set in an environment variable named SELINUX_SMTP_PASSWORD, and if it doesn't exist, modules will still be generated, but an email notification will not be attempted.

The output of --help is available below:

usage: lazy_selinux.py [-h] [-c CONFIG_FILE] [-e EXPRESSION] [-E EMAIL_FROM] [-g GENERATION_RECORD] [-i] [-L LOG_FILE] [-m MODULES_DIR] [-r RECIPIENTS] [-s SEARCH_LOGFILE] [-S SMTP_SERVER] [-v]

Search for SELinux denials and autocreate pp files

options:
-h, --help            show this help message and exit
-c CONFIG_FILE, --config-file CONFIG_FILE
                        Path to YAML config file. Defaults to: ~/.automation/python/config/lazy_selinux/lazy_selinux.yml
-e EXPRESSION, --expression EXPRESSION
                        Regex match expression to search for in logfile. Defaults to a string way too long for this help message.
-E EMAIL_FROM, --email-from EMAIL_FROM
                        Email address to send notifications from. Also used as the username for SMTP authentication.
-g GENERATION_RECORD, --generation-record GENERATION_RECORD
                        Path to file where a record of generated modules will be stored. Defaults to: ~/.automation/python/logs/lazy_selinux/autogenerated_selinux_modules.yml
-i, --insert-modules  Take your laziness to the next level and auto-insert modules. You probably shouldn't do this, but the option is here if you want to be dangerous and lazy.
-L LOG_FILE, --log-file LOG_FILE
                        Path to file where the script will log its output. Defaults to: ~/.automation/python/logs/lazy_selinux/lazy_selinux.py.log
-m MODULES_DIR, --modules-dir MODULES_DIR
                        Where to store auto-generated SELinux modules. Defaults to: ~/generated_selinux_modules
-r RECIPIENTS, --recipients RECIPIENTS
                        Comma-separated list (string) of recipients to receive email notifications. Specify with or without spaces after commas.
-s SEARCH_LOGFILE, --search-logfile SEARCH_LOGFILE
                        Logfile to search for SELinux denials. Defaults to: /var/log/messages
-S SMTP_SERVER, --smtp-server SMTP_SERVER
                        SMTP server to use for sending email notifications.
-v, --version         Show version information and exit. This isn't a verbose flag, this script is all verbose all the time.

This script WILL NOT auto-insert modules without specifying the [-i|--insert-modules] commandline flag, and doing that is probably a bad idea; that's why it's off by default. Arguments provided on the commandline at runtime will override options set in the YAML config file.

About

A Python script that auto-generates SELinux modules from deny messages

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages