-
Notifications
You must be signed in to change notification settings - Fork 379
Tools
Analysis tools are primarily used to analyze the on-disk policy for certain criteria, for example information flow. These tools form the basis on which we can make claims concerning the security properties of an SELinux system. They are required on development systems being used to analyze a target policy, and are rarely installed on the target production systems.
| Tool name | Description | Source |
| apol | perform many analyses on the target policy including domain transition, information flow, standard queries, filesystem analysis and so on | setools |
| sediff | perform a semantic difference between two policies | setools |
| sesearch | query a policy file for various parts of the policy such as te rules, symbols, etc | setools |
| seinfo | query the components of a SELinux policy | setools |
| sedta | perform domain transition analysis on a policy | setools |
| seinfoflow | perform information flow analysis on a policy | setools |
Build time tools are used during building a policy from source into modules or a monolithic kernel policy. They are required on systems that intend to build policies from source, including production systems that use tools such as audit2allow to add new policy rules at runtime. They are not required on typical non-developer end-systems.
| Tool name | Description | Source |
| checkmodule | create a policy module from a module source file | checkpolicy |
| checkpolicy | create a kernel policy from a policy source file | checkpolicy |
| semodule_package | create a policy package from a compiled module and optionally file context, seuser, userextra, and netfilter context file | semodule-utils (2.7) or policycoreutils (<= 2.6) |
| secilc | create a kernel policy from a Common Intermediate Language (CIL) policy module | secilc |
Debugging tools give policy developers and SELinux toolchain developers information useful in finding or troubleshooting a problem related to SELinux. They may be installed on end-systems during development and testing but not typically during production.
| Tool name | Description | Source |
| compute_av | query the kernel security server for an access vector decision | libselinux |
| compute_create | query the kernel security server for a transition decision | libselinux |
| compute_member | query the kernel security server for a labeling decision on a polyinstanciated object | libselinux |
| compute_relabel | query the kernel security server for a relabel decision | libselinux |
| compute_user | query the kernel security server for a set of reachable user contexts from a source context | libselinux |
| getconlist | uses security_compute_user(3) and orders the resulting list based on default_contexts file and per-user context files | libselinux |
| getdefaultcon | same as getconlist but only returns the first context | libselinux |
| getfilecon | get the context of a file by path | libselinux |
| getpidcon | get the context of a process by pid number | libselinux |
| getseuser | query the seuser file for the resulting SELinux user and context for a particular linux login and login context | libselinux |
| policyvers | query the kernel security server for the maximum policy version supported | libselinux |
| selinux_check_secure_tty_context | Check whether a tty context is a securetty context | libselinux |
Development tools are used when writing SELinux policy and are typically installed on development systems or end-systems during development and testing. Some tools are more focused on typical end-users while others are more focused on experienced policy developers. For example audit2allow can be used by typical users to create policies from denials while sedispol would only be used by experienced developers to understand the ramifications of rules added to the source policy.
| Tool name | Description | Source |
| audit2allow | used to read SELinux denials and show corresponding rules | selinux-python (2.7) or policycoreutils (<= 2.6) |
| audit2why | determine why a denial occured, for example if it was caused by a constraint, requires a kernel policy | selinux-python (2.7) or policycoreutils (<= 2.6) |
| matchpathcon | query the active filecontext file for how a particular path should be labeled | libselinux |
| sechecker | tool to run a variety of tests against a policy, such as attributes not used in any rules, domains with no roles, etc | setools |
| secon | see the context of an selinux object (file, process, key) | policycoreutils |
| dismod | query various parts of a compiled policy module or policy package (distributed as sedismod on Fedora and RHEL) | checkpolicy |
| dispol | query various parts of a compiled kernel policy (distributed as sedispol on Fedora and RHEL) | checkpolicy |
| semodule_expand | expand a base policy module into a kernel policy | semodule-utils (2.7) or policycoreutils (<= 2.6) |
| semodule_link | link a list of policy modules together | semodule-utils (2.7) or policycoreutils (<= 2.6) |
| sepolgen-ifgen | generate the interface file that audit2allow uses to match interfaces to rules when generating refpolicy style policy modules | selinux-python (2.7) or policycoreutils (<= 2.6) |
| SLIDE | SELinux policy IDE based off eclipse | eclipse-slide |
Relabeling tools are used to relabel files given different kinds of inputs. Some tools simply take a context while others query the active file_context file on the system. Some are able to look at the package data of the distribution they are using to get a list of files to be relabeled. Not included in this list is the init script used on some systems to relabel a filesystem automatically at boot time when necessary.
| Tool name | Description | Source |
| chcon | change the context or part of a context on a file | coreutils |
| fixfiles | relabel files or verify file labels based on rpm package name or path; uses active file_context file | policycoreutils |
| rlpkg | relabel files based on gentoo package (gentoo specific) | gentoo |
| restorecon | relabel files based on path | policycoreutils |
| restorecond | daemon that uses inotify to relabel files at runtime | restorecond (2.7) or policycoreutils (<= 2.6) |
| setfiles | relabel files based on path, must provide file_contexts file or verify file context file validity against binary policy | policycoreutils |
Runtime tools are used at runtime on end-systems to change or view the running behavior of SELinux. Some may not be used on secure end-systems such as setroubleshootd.
| Tool name | Description | Source |
| avcstat | give statistics about the in-kernel access vector cache, such as number of lookups, hits and misses | libselinux |
| chcat | change the categories on a file, or the authorized categories for a user | selinux-python (2.7) or policycoreutils (<= 2.6) |
| genhomedircon | generate user home directory file contexts based on template file contexts (HOMEDIR, HOMEROOT, etc) | policycoreutils |
| getenforce | get the enforcing state of the kernel access vector cache | libselinux |
| getsebool | get the current state of an SELinux boolean in the SELinux security server | libselinux |
| load_policy | load the active kernel policy | policycoreutils |
| mcstransd | daemon that provides translations for levels and categories | mcstrans |
| newrole | change your role, type or level, requires re-authentication, suitable for use by user domains | policycoreutils |
| open_init_pty | used by run_init to run a process under a new pty | policycoreutils |
| replcon | replace all or some of a file context, supports globbing and regex in search fields | setools |
| runcon | run a command with a specified SELinux context, does not re-authenticate, suitable for use in scripts to run a service in a different domain | coreutils |
| run_init | run an init script in the appropriate domain | policycoreutils |
| selinuxenabled | Check whether SELinux is currently enabled | libselinux |
| semanage | manage several aspects of SELinux including port, interface and node labeling, persistent file context and boolean settings, authorized roles and levels for SELinux users, authorized SELinux users and levels for seusers (login or Linux users), MLS translations and permissive types | selinux-python (2.7) or policycoreutils (<= 2.6) |
| semodule | insert, delete and list SELinux policy modules on the running system | policycoreutils |
| sestatus | get several pieces of information about the running state of SELinux including enabled status, enforcing/permissive, policy name and contexts of various important processes and files | policycoreutils |
| setenforce | set the enforcing state of the kernel access vector cache | libselinux |
| setroubleshootd | a daemon that watches for denials and offers suggestions on fixing them (has multiple frontends including a gnome tray interface) | Red Hat |
| setsebool | set the state of an SELinux boolean either temporarilly or persistently | policycoreutils |
| system-config-selinux | Red Hat GUI that wraps most semanage functionality | Red Hat |
| togglesebool | Toggles an SELinux Boolean, only runtime, not persistently | libselinux |