|
|
 |
|
| |
NOTE: CentOS Enterprise Linux is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterprise Linux is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux.
Chapter 6. Tools for
Manipulating and Analyzing SELinux
An administrator's job may include analyzing and possibly
manipulating the SELinux policy, as well as doing performance
analysis and tuning. This chapter discusses analysis and
tuning.
For policy manipulation, you may wish to support a new daemon or
discover and fix a problem, as discussed in Chapter 8 Customizing and Writing
Policy. One early step to writing policy is analyzing
existing policy so that you understand how it works. One example of
this is given in Section 2.9.1
How To Backtrack a Rule, where a macro is analyzed
through the process of backtracking to the source of a set of
rules.
While some effective policy analysis can be done using standard
command line text manipulation tools, sophisticated policy analysis
requires stronger tools. The simpler targeted policy consists of
more than 20,000 concatenated lines in policy.conf, which is derived from more than 150
macros and thousands of lines of TE rules and file context
settings, all interacting in very complex ways. Tools such as
apol are designed specifically for doing
analysis of SELinux policy. This chapter discusses these tools,
which are part of the setools package. In
addition to the GUI analysis tools seaudit and apol,
several command line tools that are useful for gathering
information and statistics are explained.
Analysis is also necessary when doing performance tuning. Due to
the real and potential workload imposed by the AVC system, you may
have some situations where being able to manipulate how this works
is useful to improving performance. This chapter presents some
methods to tune your SELinux installation.
In order to use these applications, you need both the setools and setools-gui
packages installed. The other packages you need come with the
SELinux installation: libselinux and
policycoreutils.
 |
Tip |
| |
When you are running a privileged application over ssh, meaning an application that requires you to
have root privileges, you must use the -Y
option. This option enables trusted X11 forwarding:
The configuration requiring this is enabled by default and is
new to Red Hat Enterprise Linux 4.
|
These tools are command line tools, providing formatted output.
They are harder to use as part of command line piping, but they
provide gathered and well formatted information quickly.
- avcstat
-
This provides a short output of the access vector cache
statistics since boot. You can watch the statistics in real time by
specifying a time interval in seconds. This provides updated
statistics since the initial output. The statistics file used is
/selinux/avc/cache_stats, and you can
specify a different cache file with the -f
/path/to/file. For example, this might be useful for reviewing
saved snapshots of /selinux/avc/cache_stats.
avcstat
lookups hits misses allocs reclaims frees
194658175 194645272 12903 12903 880 12402
# This shows one second intervals:
avcstat 1
lookups hits misses allocs reclaims frees
194670327 194657424 12903 12903 880 12402
493 493 0 0 0 0
370 370 0 0 0 0
390 390 0 0 0 0
366 366 0 0 0 0
364 364 0 0 0 0
# With these five second intervals, you see the accumulation
# of lookups and hits over the course of the interval.
avcstat 5
lookups hits misses allocs reclaims frees
194683017 194670114 12903 12903 880 12402
1966 1966 0 0 0 0
1824 1824 0 0 0 0
|
The lookups field shows the
workload of the AVC. It is not uncommon to have the number of
hits be smaller than the number
of lookups.
Section 6.4 Performance
Tuning discusses how to use avcstat for performance tuning.
- seinfo
-
This utility is useful in describing the break down of a policy,
such as the number of classes, types, Booleans, allow rules, and so
forth. Similar in function to some aspects of apol, seinfo is a quick
command line utility that takes policy.conf or a binary policy file as input.
The results are going to be different between binary and source
files. For example, the policy source file uses the { } brackets to group multiple rule
elements onto a single line. A similar effect happens with
attributes, where a single attribute expands into one or many
types. Because these are expanded and no longer relevant in the
binary policy file, they have a return value of zero in the search
results. However, the number of rules greatly increases as each
formerly one line rule using brackets is now a number of individual
lines.
Some items are not present in the binary policy. For example,
neverallow rules are only
checked during policy compile, not during runtime, and initial SIDs
are not part of the binary policy since they are required prior to
the policy being loaded by the kernel during boot.
seinfo $SELINUX_SRC/policy.conf
Statistics for policy file: $SELINUX_SRC/policy.conf
Policy Version: v.18
Policy Type: source
Classes: 53 Permissions: 192
Types: 317 Attributes: 81
Users: 3 Roles: 4
Booleans: 20 Cond. Expr.: 21
Allow: 2292 Neverallow: 7
Auditallow: 2 Dontaudit: 225
Type_trans: 99 Type_change: 0
Role allow: 5 Role trans: 0
Initial SIDs: 27
seinfo $SELINUX_POLICY/policy.18
Statistics for policy file: $SELINUX_POLICY/policy.18
Policy Version: v.18
Policy Type: binary
Classes: 53 Permissions: 192
Types: 316 Attributes: 0
Users: 3 Roles: 4
Booleans: 20 Cond. Expr.: 21
Allow: 11134 Neverallow: 0
Auditallow: 2 Dontaudit: 569
Type_trans: 157 Type_change: 0
Role allow: 5 Role trans: 0
Initial SIDs: 0
|
- sesearch
-
Similar to the way that seinfo provides
light information gathering functionality from apol on the command line, sesearch lets you search for a particular type in
the policy. Policy source or binary can be used.
sesearch -a -t httpd_sys_content_t $SELINUX_POLICY/policy.conf
5 Rules match your search criteria
allow httpd_suexec_t { httpd_sys_content_t \
httpd_sys_script_ro_t httpd_sys_script_rw_t \
httpd_sys_script_exec_t } : dir { getattr search };
allow httpd_sys_script_t httpd_sys_content_t : dir \
{ getattr search };
allow httpd_t httpd_sys_content_t : dir { read getattr \
lock search ioctl };
allow httpd_t httpd_sys_content_t : file { read getattr \
lock ioctl };
allow httpd_t httpd_sys_content_t : lnk_file { getattr \
read };
# This same search, when performed on the binary policy file,
# generates 38 matching rules.
|
There are command line options to sesearch to control various factors of the
search:
| Option |
Behavior |
| -s, --source
<NAME> |
Search for rules that have the search expression as a source;
<NAME> is a regular
expression. |
| -t, --target
<NAME> |
Search for rules that have <NAME>
as a target. |
| -c, --class
<NAME> |
Search for rules that have <NAME>
as the object class. |
| -p, --perms
<P1[,P2...]> |
Search for one or more specific permissions. |
| --allow |
Search for only allow
rules. |
| --neverallow |
Search for only neverallow
rules. |
| --audit |
Search for only dontaudit
and auditallow rules. |
| --type |
Search for only type transition (type_trans) and type change (type_change) rules. |
| -i, --indirect |
Do an indirect search, which looks for rules deriving from a
type's attribute. |
| -n, --noregex |
Do not use regular expression matching for types and attributes
searched for. |
| -a, --all |
Show all rules. You must specify one of the rule types in your
search terms: -a, --allow, --audit, --neverallow, or --type. |
| -l, --lineno |
In the search results, specify the line number in policy.conf. This option is ignored when you search
a binary policy. |
Table 6-1. Options for sesearch
|
|
|
