Chapter 6. Tools for Manipulating and Analyzing SELinux
An administrator's job may include analyzing and possibly manipulating the
SELinux policy, as well as doing performance analysis and tuning. This
chapter discusses analysis and tuning.
For policy manipulation, you may wish to support a new daemon or discover
and fix a problem, as discussed in Chapter 8 Customizing and Writing Policy.
One early step to writing policy is analyzing existing policy so that you
understand how it works. One example of this is given in Section 2.9.1 How To Backtrack a Rule, where a macro is analyzed through
the process of backtracking to the source of a set of rules.
While some effective policy analysis can be done using standard command line
text manipulation tools, sophisticated policy analysis requires stronger
tools. The simpler targeted policy consists of more than 20,000
concatenated lines in policy.conf, which is derived
from more than 150 macros and thousands of lines of TE rules and file
context settings, all interacting in very complex ways. Tools such as
apol are designed specifically for doing analysis of SELinux policy. This
chapter discusses these tools, which are part of the
setools package. In addition to the GUI analysis tools
seaudit and apol, several command line tools that are useful for
gathering information and statistics are explained.
Analysis is also necessary when doing performance tuning. Due to the real
and potential workload imposed by the AVC system, you may have some
situations where being able to manipulate how this works is useful to
improving performance. This chapter presents some methods to tune your
SELinux installation.
In order to use these applications, you need both the
setools and setools-gui packages
installed. The other packages you need come with the SELinux installation:
libselinux and policycoreutils.
Tip
When you are running a privileged application over ssh,
meaning an application that requires you to have root privileges, you must
use the -Y option. This option enables trusted X11
forwarding:
These tools are command line tools, providing formatted output. They
are harder to use as part of command line piping, but they provide
gathered and well formatted information quickly.
avcstat
This provides a short output of the access vector cache statistics
since boot. You can watch the statistics in real time by specifying
a time interval in seconds. This provides updated statistics since
the initial output. The statistics file used is
/selinux/avc/cache_stats, and you can specify a
different cache file with the -f /path/to/file. For
example, this might be useful for reviewing saved snapshots of
/selinux/avc/cache_stats.
avcstat
lookups hits misses allocs reclaims frees
194658175 194645272 12903 12903 880 12402
# This shows one second intervals:
avcstat 1
lookups hits misses allocs reclaims frees
194670327 194657424 12903 12903 880 12402
493 493 0 0 0 0
370 370 0 0 0 0
390 390 0 0 0 0
366 366 0 0 0 0
364 364 0 0 0 0
# With these five second intervals, you see the accumulation
# of lookups and hits over the course of the interval.
avcstat 5
lookups hits misses allocs reclaims frees
194683017 194670114 12903 12903 880 12402
1966 1966 0 0 0 0
1824 1824 0 0 0 0
The lookups field shows the workload
of the AVC. It is not uncommon to have the number of
hits be smaller than the number of
lookups.
This utility is useful in describing the break down of a policy,
such as the number of classes, types, Booleans, allow rules, and so
forth. Similar in function to some aspects of apol,
seinfo is a quick command line utility that takes
policy.conf or a binary policy file as input.
The results are going to be different between binary and source
files. For example, the policy source file uses the
{ } brackets to group multiple rule
elements onto a single line. A similar effect happens with
attributes, where a single attribute expands into one or many types.
Because these are expanded and no longer relevant in the binary
policy file, they have a return value of zero in the search results.
However, the number of rules greatly increases as each formerly one
line rule using brackets is now a number of individual lines.
Some items are not present in the binary policy. For example,
neverallow rules are only checked
during policy compile, not during runtime, and initial SIDs are not
part of the binary policy since they are required prior to the
policy being loaded by the kernel during boot.
Similar to the way that seinfo provides light
information gathering functionality from apol on the command line,
sesearch lets you search for a particular type in
the policy. Policy source or binary can be used.
sesearch -a -t httpd_sys_content_t $SELINUX_POLICY/policy.conf
5 Rules match your search criteria
allow httpd_suexec_t { httpd_sys_content_t \
httpd_sys_script_ro_t httpd_sys_script_rw_t \
httpd_sys_script_exec_t } : dir { getattr search };
allow httpd_sys_script_t httpd_sys_content_t : dir \
{ getattr search };
allow httpd_t httpd_sys_content_t : dir { read getattr \
lock search ioctl };
allow httpd_t httpd_sys_content_t : file { read getattr \
lock ioctl };
allow httpd_t httpd_sys_content_t : lnk_file { getattr \
read };
# This same search, when performed on the binary policy file,
# generates 38 matching rules.
There are command line options to sesearch to
control various factors of the search:
Option
Behavior
-s, --source
<NAME>
Search for rules that have the search expression as a
source;
<NAME>
is a regular expression.
-t, --target
<NAME>
Search for rules that have
<NAME>
as a target.
-c, --class
<NAME>
Search for rules that have
<NAME>
as the object class.
-p, --perms
<P1[,P2...]>
Search for one or more specific permissions.
--allow
Search for only allow rules.
--neverallow
Search for only neverallow rules.
--audit
Search for only dontaudit
and auditallow rules.
--type
Search for only type transition
(type_trans) and type
change (type_change) rules.
-i, --indirect
Do an indirect search, which looks for rules deriving from a
type's attribute.
-n, --noregex
Do not use regular expression matching for types and
attributes searched for.
-a, --all
Show all rules. You must specify one of the rule types in
your search terms: -a,
--allow, --audit,
--neverallow, or --type.
-l, --lineno
In the search results, specify the line number in
policy.conf. This option is ignored
when you search a binary policy.
