-
Notifications
You must be signed in to change notification settings - Fork 360
Tools
Analysis tools are primarily used to analyze the on-disk policy for certain criteria, for example information flow. These tools form the basis on which we can make claims concerning the security properties of an SELinux system. They are required on development systems being used to analyze a target policy, and are rarely installed on the target production systems.
Tool name | Description | Source |
apol | perform many analyses on the target policy including domain transition, information flow, standard queries, filesystem analysis and so on | setools |
sediff | perform a semantic difference between two policies | setools |
sediffx | graphical version of sediff | setools |
sesearch | query a policy file for various parts of the policy such as te rules, symbols, etc | setools |
Build time tools are used during building a policy from source into modules or a monolithic kernel policy. They are required on systems that intend to build policies from source, including production systems that use tools such as audit2allow to add new policy rules at runtime. They would not be used on secure end-systems.
Tool name | Description | Source |
checkmodule | create a policy module from a module source file | checkpolicy |
checkpolicy | create a kernel policy from a policy source file | checkpolicy |
fcsort | tool included with the reference policy that sorts filecontext files during policy build time | refpolicy |
sedoctool.py | generate documentation from reference policy xml comments | refpolicy |
semodule_package | create a policy package from a compiled module and optionally file context, seuser, userextra, and netfilter context file | semodule-utils (2.7) or policycoreutils (<= 2.6) |
Debugging tools give policy developers and SELinux toolchain developers information useful in finding or troubleshooting a problem related to SELinux. They may be installed on end-systems during development and testing but not typically during production.
Tool name | Description | Source |
avcstat | give statistics about the in-kernel access vector cache, such as number of lookups, hits and misses | libselinux |
chkcon | verify that a context is valid in an on-disk policy | libsepol |
compute_av | query the kernel security server for an access vector decision | libselinux |
compute_create | query the kernel security server for a transition decision | libselinux |
compute_member | query the kernel security server for a labeling decision on a polyinstanciated object | libselinux |
compute_relabel | query the kernel security server for a relabel decision | libselinux |
compute_user | query the kernel security server for a set of reachable user contexts from a source context | libselinux |
getconlist | uses security_compute_user(3) and orders the resulting list based on default_contexts file and per-user context files | libselinux |
getdefaultcon | same as getconlist but only returns the first context | libselinux |
getfilecon | get the context of a file by path | libselinux |
getpidcon | get the context of a process by pid number | libselinux |
getseuser | query the seuser file for the resulting SELinux user and context for a particular linux login and login context | libselinux |
policyvers | query the kernel security server for the maximum policy version supported | libselinux |
seinfo | query various parts of an on-disk policy such as a list of types, list of nodecons, etc | setools |
selinux_check_secure_tty_context | Check whether a tty context is a securetty context | libselinux |
sestatus | get several pieces of information about the running state of SELinux including enabled status, enforcing/permissive, policy name and contexts of various important processes and files | policycoreutils |
Development tools are used when writing SELinux policy and are typically installed on development systems or end-systems during development and testing. Some tools are more focused on typical end-users while others are more focused on experienced policy developers. For example audit2allow can be used by typical users to create policies from denials while sedispol would only be used by experienced developers to understand the ramifications of rules added to the source policy.
Tool name | Description | Source |
audit2allow | used to read SELinux denials and show corresponding rules | selinux-python (2.7) or policycoreutils (<= 2.6) |
audit2why | determine why a denial occured, for example if it was caused by a constraint, requires a kernel policy | selinux-python (2.7) or policycoreutils (<= 2.6) |
CDS Framework | IDE based on eclipse to write policies for cross domain solutions | cds framework |
findcon | search the filesystem, a filecontexts file or a database generated by indexcon for parts of a context | setools |
indexcon | generate a database of file contexts | setools |
matchpathcon | query the active filecontext file for how a particular path should be labeled | libselinux |
seaudit | view, sort and save SELinux denials | setools |
seaudit-report | generate a customized SELinux log report | setools |
sechecker | tool to run a variety of tests against a policy, such as attributes not used in any rules, domains with no roles, etc | setools |
secon | see the context of an selinux object (file, process, key) | policycoreutils |
dismod | query various parts of a compiled policy module or policy package (distributed as sedismod on Fedora and RHEL) | checkpolicy |
dispol | query various parts of a compiled kernel policy (distributed as sedispol on Fedora and RHEL) | checkpolicy |
seedit | third party gui to create policy, not compatible with refpolicy, uses path to generate file types | seedit |
selinux-polgengui | Red Hat GUI to create policies based on several templates, such as standard daemon, web app, user role, etc | Red Hat |
semodule_deps | show policy module dependencies | semodule-utils (2.7) or policycoreutils (<= 2.6) |
semodule_expand | expand a base policy module into a kernel policy | semodule-utils (2.7) or policycoreutils (<= 2.6) |
semodule_link | link a list of policy modules together | semodule-utils (2.7) or policycoreutils (<= 2.6) |
sepolgen-ifgen | generate the interface file that audit2allow uses to match interfaces to rules when generating refpolicy style policy modules | selinux-python (2.7) or policycoreutils (<= 2.6) |
SLIDE | SELinux policy IDE based off eclipse | eclipse-slide |
Relabeling tools are used to relabel files given different kinds of inputs. Some tools simply take a context while others query the active file_context file on the system. Some are able to look at the package data of the distribution they are using to get a list of files to be relabeled. Not included in this list is the init script used on some systems to relabel a filesystem automatically at boot time by creating a .autorelabel file in the root partition.
Tool name | Description | Source |
chcon | change the context or part of a context on a file | coreutils |
fixfiles | relabel files or verify file labels based on rpm package name or path; uses active file_context file | policycoreutils |
rlpkg | relabel files based on gentoo package (gentoo specific) | gentoo |
restorecon | relabel files based on path | policycoreutils |
restorecond | daemon that uses inotify to relabel files at runtime | restorecond (2.7) or policycoreutils (<= 2.6) |
setfilecon | set the context of a path | libselinux |
setfiles | relabel files based on path, must provide filecontexts file or verify filecontext file validity against binary policy | policycoreutils |
Runtime tools are used at runtime on end-systems to change or view the running behavior of SELinux. Some may not be used on secure end-systems such as setroubleshootd.
Tool name | Description | Source |
avc_toggle | toggle the enforcing state of the kernel security server (only distributed on Gentoo now) | gentoo |
chcat | change the categories on a file, or the authorized categories for a user | selinux-python (2.7) or policycoreutils (<= 2.6) |
genhomedircon | generate user home directory file contexts based on template file contexts (HOMEDIR, HOMEROOT, etc) | policycoreutils |
getenforce | get the enforcing state of the kernel access vector cache | libselinux |
getsebool | get the current state of an SELinux boolean in the SELinux security server | libselinux |
load_policy | load the active kernel policy | policycoreutils |
mcstransd | daemon that provides translations for levels and categories | mcstrans |
newrole | change your role, type or level, requires re-authentication, suitable for use by user domains | policycoreutils |
open_init_pty | used by run_init to run a process under a new pty | policycoreutils |
replcon | replace all or some of a file context, supports globbing and regex in search fields | setools |
runcon | run a command with a specified SELinux context, does not re-authenticate, suitable for use in scripts to run a service in a different domain | coreutils |
run_init | run an init script in the appropriate domain | policycoreutils |
seadmin | third party gui that wraps semanage functionality | seadmin |
segatex | third party gui that wraps semanage functionality | segatex |
selinuxenabled | Check whether SELinux is currently enabled | libselinux |
semanage | manage several aspects of SELinux including port, interface and node labeling, persistent file context and boolean settings, authorized roles and levels for SELinux users, authorized SELinux users and levels for seusers (login or Linux users), MLS translations and permissive types | selinux-python (2.7) or policycoreutils (<= 2.6) |
semodule | insert, delete and list SELinux policy modules on the running system | policycoreutils |
setenforce | set the enforcing state of the kernel access vector cache | libselinux |
setroubleshootd | a daemon that watches for denials and offers suggestions on fixing them (has multiple frontends including a gnome tray interface) | Red Hat |
setsebool | set the state of an SELinux boolean either temporarilly or persistently | policycoreutils |
system-config-selinux | Red Hat GUI that wraps most semanage functionality | Red Hat |
togglesebool | Toggles an SELinux Boolean, only runtime, not persistently | libselinux |
update-selinux-conf | lets you change the policy SELINUXTYPE in /etc/selinux/config (Ubuntu specific) | Ubuntu |
update-selinux-policy | rebuilds the policy based on the pp files in /etc/selinux.d (Ubuntu specific) | Ubuntu |