Project 2: AVC Denial Analyzer & Auto-Fixer

An intelligent tool that monitors audit logs in real-time, parses AVC denial messages, explains them in plain English, and suggests fixes—from boolean changes to custom policy modules.

Quick Reference

Attribute Value
Primary Language Python
Alternative Languages Go, Rust, Bash
Difficulty Level 2: Intermediate
Time Estimate 1-2 weeks
Knowledge Area SELinux Troubleshooting / Audit Logs
Tooling audit, setroubleshoot, audit2allow
Prerequisites Project 1 completed, understanding of security contexts

What You Will Build

An intelligent tool that monitors audit logs in real-time, parses AVC denial messages, explains them in plain English, and suggests fixes—from boolean changes to custom policy modules.

Why It Matters

This project builds core skills that appear repeatedly in real-world systems and tooling.

Core Challenges

  • Parsing AVC messages → understanding audit log format
  • Determining fix strategies → booleans vs labels vs policy
  • Generating policy modules → audit2allow and .te files
  • Avoiding insecure fixes → understanding least privilege

Key Concepts

  • Map the project to core concepts before you code.

Real-World Outcome

$ sudo ./avc-analyzer --watch

🔴 AVC Denial Detected at 14:32:45
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Raw: avc: denied { read } for pid=5678 comm="httpd" name="config.ini"
     scontext=system_u:system_r:httpd_t:s0
     tcontext=system_u:object_r:user_home_t:s0 tclass=file

📋 EXPLANATION:
Apache (httpd_t) tried to READ "config.ini" but was DENIED because:
• The file is labeled user_home_t (user's home directory type)
• No policy rule allows httpd_t to read user_home_t files

🔧 FIXES (in order of preference):
1. ✅ BEST: Move file to /var/www/html/ and run restorecon
2. ⚠️  ALT: semanage fcontext -a -t httpd_sys_content_t '/path'
3. ❌ AVOID: Enable httpd_read_user_content boolean (too broad!)

Implementation Guide

  1. Reproduce the simplest happy-path scenario.
  2. Build the smallest working version of the core feature.
  3. Add input validation and error handling.
  4. Add instrumentation/logging to confirm behavior.
  5. Refactor into clean modules with tests.

Milestones

  • Milestone 1: Minimal working program that runs end-to-end.
  • Milestone 2: Correct outputs for typical inputs.
  • Milestone 3: Robust handling of edge cases.
  • Milestone 4: Clean structure and documented usage.

Validation Checklist

  • Output matches the real-world outcome example
  • Handles invalid inputs safely
  • Provides clear errors and exit codes
  • Repeatable results across runs

References

  • Main guide: SELINUX_DEEP_DIVE_LEARNING_PROJECTS.md
  • “SELinux System Administration, 3rd Edition” by Sven Vermeulen