Chapter 6. Tools for Manipulating and Analyzing SELinux
An administrator's job may include analyzing and possibly manipulating the SELinux policy, as well as doing performance analysis and tuning. This chapter discusses analysis and tuning.
For policy manipulation, you may wish to support a new daemon or discover and fix a problem, as discussed in Chapter 8 Customizing and Writing Policy. One early step to writing policy is analyzing existing policy so that you understand how it works. One example of this is given in Section 2.9.1 How To Backtrack a Rule, where a macro is analyzed through the process of backtracking to the source of a set of rules.
While some effective policy analysis can be done using standard command line text manipulation tools, sophisticated policy analysis requires stronger tools. The simpler targeted policy consists of more than 20,000 concatenated lines in policy.conf, which is derived from more than 150 macros and thousands of lines of TE rules and file context settings, all interacting in very complex ways. Tools such as apol are designed specifically for doing analysis of SELinux policy. This chapter discusses these tools, which are part of the setools package. In addition to the GUI analysis tools seaudit and apol, several command line tools that are useful for gathering information and statistics are explained.
Analysis is also necessary when doing performance tuning. Due to the real and potential workload imposed by the AVC system, you may have some situations where being able to manipulate how this works is useful to improving performance. This chapter presents some methods to tune your SELinux installation.
In order to use these applications, you need both the setools and setools-gui packages installed. The other packages you need come with the SELinux installation: libselinux and policycoreutils.
 | Tip | |
|---|---|---|
When you are running a privileged application over ssh, meaning an application that requires you to have root privileges, you must use the -Y option. This option enables trusted X11 forwarding:
The configuration requiring this is enabled by default and is new to Red Hat Enterprise Linux 4. |
6.1. Information Gathering Tools
These tools are command line tools, providing formatted output. They are harder to use as part of command line piping, but they provide gathered and well formatted information quickly.
- avcstat
This provides a short output of the access vector cache statistics since boot. You can watch the statistics in real time by specifying a time interval in seconds. This provides updated statistics since the initial output. The statistics file used is /selinux/avc/cache_stats, and you can specify a different cache file with the -f /path/to/file. For example, this might be useful for reviewing saved snapshots of /selinux/avc/cache_stats.
avcstat lookups hits misses allocs reclaims frees 194658175 194645272 12903 12903 880 12402 # This shows one second intervals: avcstat 1 lookups hits misses allocs reclaims frees 194670327 194657424 12903 12903 880 12402 493 493 0 0 0 0 370 370 0 0 0 0 390 390 0 0 0 0 366 366 0 0 0 0 364 364 0 0 0 0 # With these five second intervals, you see the accumulation # of lookups and hits over the course of the interval. avcstat 5 lookups hits misses allocs reclaims frees 194683017 194670114 12903 12903 880 12402 1966 1966 0 0 0 0 1824 1824 0 0 0 0The lookups field shows the workload of the AVC. It is not uncommon to have the number of hits be smaller than the number of lookups.
Section 6.4 Performance Tuning discusses how to use avcstat for performance tuning.
- seinfo
This utility is useful in describing the break down of a policy, such as the number of classes, types, Booleans, allow rules, and so forth. Similar in function to some aspects of apol, seinfo is a quick command line utility that takes policy.conf or a binary policy file as input.
The results are going to be different between binary and source files. For example, the policy source file uses the { } brackets to group multiple rule elements onto a single line. A similar effect happens with attributes, where a single attribute expands into one or many types. Because these are expanded and no longer relevant in the binary policy file, they have a return value of zero in the search results. However, the number of rules greatly increases as each formerly one line rule using brackets is now a number of individual lines.
Some items are not present in the binary policy. For example, neverallow rules are only checked during policy compile, not during runtime, and initial SIDs are not part of the binary policy since they are required prior to the policy being loaded by the kernel during boot.
seinfo $SELINUX_SRC/policy.conf Statistics for policy file: $SELINUX_SRC/policy.conf Policy Version: v.18 Policy Type: source Classes: 53 Permissions: 192 Types: 317 Attributes: 81 Users: 3 Roles: 4 Booleans: 20 Cond. Expr.: 21 Allow: 2292 Neverallow: 7 Auditallow: 2 Dontaudit: 225 Type_trans: 99 Type_change: 0 Role allow: 5 Role trans: 0 Initial SIDs: 27 seinfo $SELINUX_POLICY/policy.18 Statistics for policy file: $SELINUX_POLICY/policy.18 Policy Version: v.18 Policy Type: binary Classes: 53 Permissions: 192 Types: 316 Attributes: 0 Users: 3 Roles: 4 Booleans: 20 Cond. Expr.: 21 Allow: 11134 Neverallow: 0 Auditallow: 2 Dontaudit: 569 Type_trans: 157 Type_change: 0 Role allow: 5 Role trans: 0 Initial SIDs: 0
- sesearch
Similar to the way that seinfo provides light information gathering functionality from apol on the command line, sesearch lets you search for a particular type in the policy. Policy source or binary can be used.
sesearch -a -t httpd_sys_content_t $SELINUX_POLICY/policy.conf 5 Rules match your search criteria allow httpd_suexec_t { httpd_sys_content_t \ httpd_sys_script_ro_t httpd_sys_script_rw_t \ httpd_sys_script_exec_t } : dir { getattr search }; allow httpd_sys_script_t httpd_sys_content_t : dir \ { getattr search }; allow httpd_t httpd_sys_content_t : dir { read getattr \ lock search ioctl }; allow httpd_t httpd_sys_content_t : file { read getattr \ lock ioctl }; allow httpd_t httpd_sys_content_t : lnk_file { getattr \ read }; # This same search, when performed on the binary policy file, # generates 38 matching rules.There are command line options to sesearch to control various factors of the search:
Option Behavior -s, --source <NAME> Search for rules that have the search expression as a source; <NAME> is a regular expression. -t, --target <NAME> Search for rules that have <NAME> as a target. -c, --class <NAME> Search for rules that have <NAME> as the object class. -p, --perms <P1[,P2...]> Search for one or more specific permissions. --allow Search for only allow rules. --neverallow Search for only neverallow rules. --audit Search for only dontaudit and auditallow rules. --type Search for only type transition (type_trans) and type change (type_change) rules. -i, --indirect Do an indirect search, which looks for rules deriving from a type's attribute. -n, --noregex Do not use regular expression matching for types and attributes searched for. -a, --all Show all rules. You must specify one of the rule types in your search terms: -a, --allow, --audit, --neverallow, or --type. -l, --lineno In the search results, specify the line number in policy.conf. This option is ignored when you search a binary policy. Table 6-1. Options for sesearch