As a systems administrator, you have noticed SELinux Access Vector Cache (AVC) denial messages in your system's audit logs, indicating that a legitimate application is being blocked from performing necessary actions. You want to create a custom SELinux module to adjust the policy and allow the application to function as intended. Which command should you use to generate a custom SELinux policy module based on the recorded AVC denials?
The correct command is audit2allow -M mymodule < /var/log/audit/audit.log. It reads the AVC denial messages from the specified log file and generates a custom SELinux policy module named 'mymodule'. The -M option specifies the name of the module. This command is designed to interpret AVC messages and create a tentative policy that permits the denied actions, easing the process of troubleshooting and adjusting SELinux policies.
The other options, audit2why, semanage module -i, and getenforce, serve different purposes. The audit2why command is used to interpret denial messages and provide explanations, not to generate policy modules. semanage module -i would be used to install a module, not create one. getenforce simply reports the current SELinux enforcement mode and does nothing related to policy creation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does AVC stand for in SELinux, and why is it important?
Open an interactive chat with Bash
How do SELinux policies interact with applications, and what are their roles?
Open an interactive chat with Bash
What steps follow after generating a custom SELinux module with audit2allow?