5.3. Analyst Control of SELinux
This section presents some common tasks that a security analyst might need to do on an SELinux system.
5.3.1. Enable Kernel Auditing
You may wish to have the full kernel-level auditing available when doing analysis or troubleshooting. This can be quite verbose, since it generates one or more additional audit message(s) for each AVC audit message. To enable, append the parameter audit=1 to your kernel boot line, either through /etc/grub.conf or via the GRUB menu during boot.
This is an example of a full audit log entry when httpd is denied access to ~/public_html because the directory is not labeled as Web content:
# Notice that the time and serial number stamps in the audit(...)
# field are identical, making it easier to track a specific
# event in the audit logs:
Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \
avc: denied { getattr } for pid=2239 exe=/usr/sbin/httpd \
path=/home/auser/public_html dev=hdb2 ino=921135 \
scontext=user_u:system_r:httpd_t \
tcontext=system_u:object_r:user_home_t tclass=dir
# This audit message tells more about the source, including the
# kind of syscall involved, showing that httpd tried to stat the
# directory:
Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \
syscall=195 exit=4294967283 a0=9ef88e0 a1=bfecc0d4 a2=a97ff4 \
a3=bfecc0d4 items=1 pid=2239 loginuid=-1 uid=48 gid=48 euid=48 \
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
# This message tells more about the target:
Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \
item=0 name=/home/auser/public_html inode=921135 dev=00:00 |
By design, the serial number stamp is always identical for a particular audited event. The time stamp may not always be identical but most often is identical.
 | Note |
|---|---|
If you are using an audit daemon for troubleshooting, the daemon may capture audit messages into another location than /var/log/messages, such as /var/log/audit.log. Red Hat Enterprise Linux 4 does not ship with an audit daemon, but work on this is ongoing. |
5.3.2. Dump or View Policy
While there is no formal way to dump the policy in memory, there are several tools which make it easier to view and analyze policy. Here are three ways of viewing the policy.
The binary policy directory at $SELINUX_POLICY/ contains information on Booleans and file contexts. You can analyze the binary policy with the setools such as apol and seinfo, which are discussed in Chapter 6 Tools for Manipulating and Analyzing SELinux.
You can read more about where the policy files are located starting in Section 2.2 Where is the Policy?.
For a more thorough analysis, nothing equals the policy source, located in $SELINUX_SRC/ and discussed extensively in Chapter 2 SELinux Policy Overview and Chapter 3 Targeted Policy Overview.
Standard command line text processing tools and the setools are two essential methods for viewing and understanding the policy source.
Currently, the best method for analyzing SELinux policy is to use the setools. One GUI tool in particular is apol, which provides fairly complex analysis capabilities. This is discussed more thoroughly in Section 6.3 Using apol for Policy Analysis.
5.3.3. Dump and View Logs
The SELinux implementation in Red Hat Enterprise Linux 4 routes AVC audit messages to /var/log/messages. You can seek just the audit messages using grep and searching for avc or audit.
As discussed in Section 6.2 Using seaudit for Audit Log Analysis, seaudit is a GUI tool for organizing and analyzing just policy messages. The tool seaudit-report generates text or HTML reports of audit messages.
5.3.4. Viewing AVC Statistics
The best way to view formatted statistics about the access vector cache is to use avcstat. This is explained in Section 6.1 Information Gathering Tools.