This is a Python script that auto-generates SELinux modules for policy denials found in /var/log/messages
Run the script once to generate a config file at:
~/.automation/python/config/lazy_selinux/lazy_selinux.yml
Edit the config file to adjust email details (sender, smtp server, etc), and then run it again to generate modules, should any modules need creation. The script expects the SMTP password to be set in an environment variable named SELINUX_SMTP_PASSWORD, and if it doesn't exist, modules will still be generated, but an email notification will not be attempted.
The output of --help is available below:
usage: lazy_selinux.py [-h] [-c CONFIG_FILE] [-e EXPRESSION] [-E EMAIL_FROM] [-g GENERATION_RECORD] [-i] [-L LOG_FILE] [-m MODULES_DIR] [-r RECIPIENTS] [-s SEARCH_LOGFILE] [-S SMTP_SERVER] [-v]
Search for SELinux denials and autocreate pp files
options:
-h, --help show this help message and exit
-c CONFIG_FILE, --config-file CONFIG_FILE
Path to YAML config file. Defaults to: ~/.automation/python/config/lazy_selinux/lazy_selinux.yml
-e EXPRESSION, --expression EXPRESSION
Regex match expression to search for in logfile. Defaults to a string way too long for this help message.
-E EMAIL_FROM, --email-from EMAIL_FROM
Email address to send notifications from. Also used as the username for SMTP authentication.
-g GENERATION_RECORD, --generation-record GENERATION_RECORD
Path to file where a record of generated modules will be stored. Defaults to: ~/.automation/python/logs/lazy_selinux/autogenerated_selinux_modules.yml
-i, --insert-modules Take your laziness to the next level and auto-insert modules. You probably shouldn't do this, but the option is here if you want to be dangerous and lazy.
-L LOG_FILE, --log-file LOG_FILE
Path to file where the script will log its output. Defaults to: ~/.automation/python/logs/lazy_selinux/lazy_selinux.py.log
-m MODULES_DIR, --modules-dir MODULES_DIR
Where to store auto-generated SELinux modules. Defaults to: ~/generated_selinux_modules
-r RECIPIENTS, --recipients RECIPIENTS
Comma-separated list (string) of recipients to receive email notifications. Specify with or without spaces after commas.
-s SEARCH_LOGFILE, --search-logfile SEARCH_LOGFILE
Logfile to search for SELinux denials. Defaults to: /var/log/messages
-S SMTP_SERVER, --smtp-server SMTP_SERVER
SMTP server to use for sending email notifications.
-v, --version Show version information and exit. This isn't a verbose flag, this script is all verbose all the time.
This script WILL NOT auto-insert modules without specifying the [-i|--insert-modules] commandline flag, and doing that is probably a bad idea; that's why it's off by default. Arguments provided on the commandline at runtime will override options set in the YAML config file.