5.11. Information Gathering Tools
These tools are command line tools, providing formatted output. They are harder to use as part of command line piping, but they provide gathered and well formatted information quickly.
This command provides a short output of the access vector cache statistics since boot. You can watch the statistics in real time by specifying a time interval in seconds. This provides updated statistics since the initial output. The statistics file used is /selinux/avc/cache_stats
, and you can specify a different cache file with the -f /path/to/file option.
[root@localhost ~]# avcstat
lookups hits misses allocs reclaims frees
47517410 47504630 12780 12780 12176 12275
This utility is useful in describing the break-down of a policy, such as the number of classes, types, Booleans, allow rules, etc. seinfo
is a command line utility that uses either the policy.conf file or a binary policy file as input.
The output of seinfo
will vary between binary and source files. For example, the policy source file uses the { }
brackets to group multiple rule elements onto a single line. A similar effect happens with attributes, where a single attribute expands into one or many types. Because these are expanded and no longer relevant in the binary policy file, they have a return value of zero in the search results. However, the number of rules greatly increases as each formerly one line rule using brackets is now a number of individual lines.
Some items are not present in the binary policy. For example, neverallow rules are only checked during policy compile, not during runtime, and initial SIDs are not part of the binary policy since they are required prior to the policy being loaded by the kernel during boot.
[root@localhost ]# seinfo
Statistics for policy file: /etc/selinux/targeted/policy/policy.24
Policy Version & Type: v.24 (binary, mls)
Classes: 77 Permissions: 229
Sensitivities: 1 Categories: 1024
Types: 3001 Attributes: 244
Users: 9 Roles: 13
Booleans: 158 Cond. Expr.: 193
Allow: 262796 Neverallow: 0
Auditallow: 44 Dontaudit: 156710
Type_trans: 10760 Type_change: 38
Type_member: 44 Role allow: 20
Role_trans: 237 Range_trans: 2546
Constraints: 62 Validatetrans: 0
Initial SIDs: 27 Fs_use: 22
Genfscon: 82 Portcon: 373
Netifcon: 0 Nodecon: 0
Permissives: 22 Polcap: 2
[root@localhost ]#
The seinfo
command can also list the number of types with the domain attribute, giving an estimate of the number of different confined processes:
# seinfo -adomain -x | wc -l
550
Not all domain types are confined. To look at the number of unconfined domains, use the unconfined_domain attribute:
# seinfo -aunconfined_domain_type -x | wc -l
52
Permissive domains can be counted with the --permissive
option.
# seinfo --permissive -x | wc -l
31
Remove the | wc -l
option in the above commands to see the full lists.
You can use the sesearch command to search for a particular type in the policy. You can search either policy source files or the binary file. For example:
[scott@localhost ~]$ sesearch --role_allow -t httpd_sys_content_t \/etc/selinux/targeted/policy/policy.24
Found 20 role allow rules:
allow system_r sysadm_r;
allow sysadm_r system_r;
allow sysadm_r staff_r;
allow sysadm_r user_r;
allow system_r git_shell_r;
allow system_r guest_r;
allow logadm_r system_r;
allow system_r logadm_r;
allow system_r nx_server_r;
allow system_r staff_r;
allow staff_r logadm_r;
allow staff_r sysadm_r;
allow staff_r unconfined_r;
allow staff_r webadm_r;
allow unconfined_r system_r;
allow system_r unconfined_r;
allow system_r user_r;
allow webadm_r system_r;
allow system_r webadm_r;
allow system_r xguest_r;
The sesearch
command can provide the number of allow rules:
# sesearch --allow | wc -l
262798
And the number of dontaudit rules:
# sesearch --dontaudit | wc -l
156712