Tresys Technology, a network services company, has published a set of open source GUI tools for SELinux policy management. Most releases of SELinux include at least one of the Tresys tools, which are:
The following subsections briefly describe these tools. My intention is not to show you how to use the tools but to help you understand what they do, so that you can decide when to use them and which tool to use. Because the tools are regularly improved, I advise you to refer to the tools’ help files for information on operating them. If your SELinux release does not include the Tresys tools, you can obtain them at http://www.tresys.com/.
The
Apol tool enables you to analyze an SELinux
policy. It does not work with the component files that compose the
policy, but only with policy.conf
. So you should
compile the SELinux policy before using Apol. You can do so by
issuing the command:
make load
from within the SELinux src/policy
directory.
Figure 9-1 shows Apol’s main
window after using its File menu to open the
policy.conf
file.
Apol’s main window contains four primary tabs:
Supports searching and viewing policy components: types, type attributes, type aliases, object classes, object permissions, roles, users, initial SIDs, and SElinux Booleans.
Supports working with policy rules:
allow
, neverallow
,
auditallow
, dontaudit
,
type_transition
, and
type_change
declarations.
Supports several analysis operations, including forward and reverse domain transition analyses, direct information flow analysis, and indirect (transitive) information flow analysis.
The following subsections describe the operations associated with Apol’s first three tabs. You can learn more about Apol by studying its help file, available via the Help menu.
As shown in Figure 9-1, the Policy Components tab contains six secondary tabs related to the policy component types:
Lets
you search types, type attributes, and aliases by specifying a
regular expression. Double-clicking a type, attribute, or alias
provides a summary description. The Search Results window displays
policy.conf
lines related to types and
attributes having names matching the regular expression.
Lets you search object classes, common
permissions, and permissions by specifying a regular expression. The
Search Results window displays policy.conf
lines
related to object classes having names matching the regular
expression. Double-clicking a class, common permission, or permission
provides a summary description. Figure 9-2 shows a
sample query and its result.
Lets you search roles and their attributes by specifying regular expressions for role or type. The tab makes it simple to identify all roles that include a specified type. Double-clicking a role provides a summary description. Figure 9-3 shows the result of a query requesting all roles.
Lets you search SELinux user identities and their associated roles. Figure 9-4 shows the result of a query requesting all users.
Lets you search initial SIDs and their associated security contexts. Figure 9-5 shows the result of a query requesting all initial SIDs.
Lets you search SELinux Booleans. Figure 9-6 shows the result of a query requesting all Booleans.
Figure 9-7 shows Apol’s Policy Rules tab, which contains three secondary tabs:
This tab lets you search type-enforcement rules. The tab supports several search criteria:
Lets you narrow the scope of a search to include only specified rules.
Lets you search by types and type attributes used as source, target, or default types in rules.
Lets you search by object classes and permissions, returning only rules that reference the specified classes and permissions.
The results window displays all rules matching the specified search
criteria. Each displayed rule includes a hyperlink that points to the
rule’s place in the policy.conf
file.
Figure 9-8 shows the RBAC tab, which lets you search role-based access control rules in much the same way as the TE tab lets you search type enforcement rules.
Figure 9-9 shows the Conditional Expressions tab, which lets you search conditional expressions for the following rule types:
audit
rules
allow
rules
transition
rules
You can search by specifying a regular expression that matches the
name of a Boolean appearing within a conditional expression. Each
rule displayed in the results window include a hyperlink that points
to the rule’s location within the
policy.conf
file.
The Analysis tab is perhaps the most interesting and useful of Apol’s tabs. It enables you to perform three types of analysis:
We generally think of a domain transition as a single step involving two domains: the source (beginning) domain and the target (ending) domain. But suppose your SELinux policy permits domain A to transition to domain B and also permits domain B to transition to domain C. There’s no single-step path between domains A and C. Nevertheless, by executing two transitions a process can move from domain A to domain C.
A forward domain analysis shows the domains that can be reached in one or more transition steps from a given domain. To perform a forward domain transition analysis, you first specify a source domain. Apol then presents a tree identifying the target domains that can be reached directly from the specified source domain. Using a mouse or other pointing device, you can walk the tree, inspecting the rules that authorize each transition. Figure 9-10 shows the result of a simple forward domain analysis.
A reverse domain analysis simply goes in the opposite direction. You specify a target domain, and Apol identifies the source domains that can reach the specified source domain in one or more transition steps.
Direct information flow analysis generalizes the domain analysis operation in two respects. First, it lets you specify the direction of the relationship between domains as IN, OUT, EITHER, or BOTH. Second, the relationship extends beyond domain transitions to include information flows. Roughly speaking, an information flow exists between two domains if one member of the pair can read or write objects having the type of the other member of the pair. For a more precise explanation of information flows, see the white paper titled An Overview of Information Flow Analysis, available on the Tresys web site.
Indirect information flow analysis generalizes direct information flow analysis by showing relationships along indirect paths between pairs of domains. For instance, suppose that no information flow exists between domains A and C. If an information flow exists between domains A and B, and another exists between domains B and C, an indirect information flow may exist between domains A and C. Informally, indirect information flow analysis shows which domains interact with other domains. See the Apol help file for more information on indirect information flow analysis.
Figure 9-11 shows the main window of Seaudit, a GUI tool for viewing AVC messages within system logs. Seaudit can display results in real or nonreal time. Menu items let you specify the columns to be displayed, and search buttons let you construct, save, and run queries that select only a subset of log messages. You can also query the SELinux policy based on information contained within a log entry.
Sepcut helps you browse and edit policy component files. Figure 9-12 shows Sepcut’s main window. The window includes three main tabs:
Seuserx lets you add, change, and delete Linux and SELinux users. Its main window, shown in Figure 9-13, includes five buttons, as well as an Exit button:
Lets you configure characteristics of
generic users—users who don’t have specific
SELinux identities and are therefore associated with the
user_u
SELinux identity.
When you exit Suserx, it automatically loads a new security policy reflecting any changes you’ve made. However, you can use the Update Policy button to manually load a new policy whenever you like