On Wed, 2005-11-30 at 05:38 -0800, Steve G wrote:
You should do
audit2allow -l < /var/log/audit/audit.log
I would like to take this opportunity to point out that you should not be using the audit logs directly. ausearch is the correct way to access the logs. I would recommend:
ausearch -m avc,selinux_err | audit2allow -l
There's 3 reasons for this. 1) There may be more than 1 log file that needs to be examined. ausearch automatically looks at all of them. You can restrict its search by using the -ts & -te parameters. 2) Sometimes file names or sockets get encoded and cannot be read without ausearch's interpretation...and 3) we may be changing to binary log format at some point during fc5/6 time frame.
Hmm...this should likely get reflected in the audit2allow man page...