audit2allow - Linux


audit2allow analyzes audit log messages and generates customized SELinux policies that allow the activities observed in the logs. It helps identify and address security vulnerabilities by creating policies that permit legitimate system operations while preventing malicious activities.


audit2allow [options] [audit-log-file]


| Option | Description | Default |
| -a, --allow-missing-file | Allow processing of missing files | False |
| -c, --command | Command to run audit2allow against | None |
| -e, --exclude-sockets | Exclude socket information from output | False |
| -i, --input | Input file containing audit records | stdin |
| -l, --list-unused-rule | List unused rules | False |
| -o, --output | Output file to store the generated policy | stdout |
| -r, --recursive | Recursively search for audit log files | False |
| -t, --type | Specify the type of audit messages to process | all |
| -v, --version | Display version information | None |
| -h, --help | Show help and usage information | None |


Simple usage:

audit2allow /var/log/audit/audit.log

Generate policy for specific command:

audit2allow -c 'httpd' /var/log/audit/audit.log

Exclude socket information:

audit2allow -e /var/log/audit/audit.log

Common Issues

  • Missing audit log file: Ensure the provided file exists and has the correct permissions.
  • Invalid audit records: Check if the audit records are well-formed and follow the SELinux audit message format.
  • Unrecognized audit messages: If the audit log contains messages not supported by audit2allow, they will be ignored.


audit2allow generated policies can be used with the semanage command to manage SELinux policies:

semanage import -f /path/to/generated_policy

Related Commands

  • auditd: Audit daemon that logs system events
  • semanage: SELinux policy management tool
  • auditctl: Control and view audit rules