stephensmalley edited this page Aug 31, 2017 · 3 revisions


Analysis tools are primarily used to analyze the on-disk policy for certain criteria, for example information flow. These tools form the basis on which we can make claims concerning the security properties of an SELinux system. They are required on development systems being used to analyze a target policy, and are rarely installed on the target production systems.

Tool name Description Source
apol perform many analyses on the target policy including domain transition, information flow, standard queries, filesystem analysis and so on setools
sediff perform a semantic difference between two policies setools
sediffx graphical version of sediff setools
sesearch query a policy file for various parts of the policy such as te rules, symbols, etc setools

Build time

Build time tools are used during building a policy from source into modules or a monolithic kernel policy. They are required on systems that intend to build policies from source, including production systems that use tools such as audit2allow to add new policy rules at runtime. They would not be used on secure end-systems.

Tool name Description Source
checkmodule create a policy module from a module source file checkpolicy
checkpolicy create a kernel policy from a policy source file checkpolicy
fcsort tool included with the reference policy that sorts filecontext files during policy build time refpolicy generate documentation from reference policy xml comments refpolicy
semodule_package create a policy package from a compiled module and optionally file context, seuser, userextra, and netfilter context file semodule-utils (2.7) or policycoreutils (<= 2.6)


Debugging tools give policy developers and SELinux toolchain developers information useful in finding or troubleshooting a problem related to SELinux. They may be installed on end-systems during development and testing but not typically during production.

Tool name Description Source
avcstat give statistics about the in-kernel access vector cache, such as number of lookups, hits and misses libselinux
chkcon verify that a context is valid in an on-disk policy libsepol
compute_av query the kernel security server for an access vector decision libselinux
compute_create query the kernel security server for a transition decision libselinux
compute_member query the kernel security server for a labeling decision on a polyinstanciated object libselinux
compute_relabel query the kernel security server for a relabel decision libselinux
compute_user query the kernel security server for a set of reachable user contexts from a source context libselinux
getconlist uses security_compute_user(3) and orders the resulting list based on default_contexts file and per-user context files libselinux
getdefaultcon same as getconlist but only returns the first context libselinux
getfilecon get the context of a file by path libselinux
getpidcon get the context of a process by pid number libselinux
getseuser query the seuser file for the resulting SELinux user and context for a particular linux login and login context libselinux
policyvers query the kernel security server for the maximum policy version supported libselinux
seinfo query various parts of an on-disk policy such as a list of types, list of nodecons, etc setools
selinux_check_secure_tty_context Check whether a tty context is a securetty context libselinux
sestatus get several pieces of information about the running state of SELinux including enabled status, enforcing/permissive, policy name and contexts of various important processes and files policycoreutils


Development tools are used when writing SELinux policy and are typically installed on development systems or end-systems during development and testing. Some tools are more focused on typical end-users while others are more focused on experienced policy developers. For example audit2allow can be used by typical users to create policies from denials while sedispol would only be used by experienced developers to understand the ramifications of rules added to the source policy.

Tool name Description Source
audit2allow used to read SELinux denials and show corresponding rules selinux-python (2.7) or policycoreutils (<= 2.6)
audit2why determine why a denial occured, for example if it was caused by a constraint, requires a kernel policy selinux-python (2.7) or policycoreutils (<= 2.6)
CDS Framework IDE based on eclipse to write policies for cross domain solutions cds framework
findcon search the filesystem, a filecontexts file or a database generated by indexcon for parts of a context setools
indexcon generate a database of file contexts setools
matchpathcon query the active filecontext file for how a particular path should be labeled libselinux
seaudit view, sort and save SELinux denials setools
seaudit-report generate a customized SELinux log report setools
sechecker tool to run a variety of tests against a policy, such as attributes not used in any rules, domains with no roles, etc setools
secon see the context of an selinux object (file, process, key) policycoreutils
dismod query various parts of a compiled policy module or policy package (distributed as sedismod on Fedora and RHEL) checkpolicy
dispol query various parts of a compiled kernel policy (distributed as sedispol on Fedora and RHEL) checkpolicy
seedit third party gui to create policy, not compatible with refpolicy, uses path to generate file types seedit
selinux-polgengui Red Hat GUI to create policies based on several templates, such as standard daemon, web app, user role, etc Red Hat
semodule_deps show policy module dependencies semodule-utils (2.7) or policycoreutils (<= 2.6)
semodule_expand expand a base policy module into a kernel policy semodule-utils (2.7) or policycoreutils (<= 2.6)
semodule_link link a list of policy modules together semodule-utils (2.7) or policycoreutils (<= 2.6)
sepolgen-ifgen generate the interface file that audit2allow uses to match interfaces to rules when generating refpolicy style policy modules selinux-python (2.7) or policycoreutils (<= 2.6)
SLIDE SELinux policy IDE based off eclipse eclipse-slide


Relabeling tools are used to relabel files given different kinds of inputs. Some tools simply take a context while others query the active file_context file on the system. Some are able to look at the package data of the distribution they are using to get a list of files to be relabeled. Not included in this list is the init script used on some systems to relabel a filesystem automatically at boot time by creating a .autorelabel file in the root partition.

Tool name Description Source
chcon change the context or part of a context on a file coreutils
fixfiles relabel files or verify file labels based on rpm package name or path; uses active file_context file policycoreutils
rlpkg relabel files based on gentoo package (gentoo specific) gentoo
restorecon relabel files based on path policycoreutils
restorecond daemon that uses inotify to relabel files at runtime restorecond (2.7) or policycoreutils (<= 2.6)
setfilecon set the context of a path libselinux
setfiles relabel files based on path, must provide filecontexts file or verify filecontext file validity against binary policy policycoreutils


Runtime tools are used at runtime on end-systems to change or view the running behavior of SELinux. Some may not be used on secure end-systems such as setroubleshootd.

Tool name Description Source
avc_toggle toggle the enforcing state of the kernel security server (only distributed on Gentoo now) gentoo
chcat change the categories on a file, or the authorized categories for a user selinux-python (2.7) or policycoreutils (<= 2.6)
genhomedircon generate user home directory file contexts based on template file contexts (HOMEDIR, HOMEROOT, etc) policycoreutils
getenforce get the enforcing state of the kernel access vector cache libselinux
getsebool get the current state of an SELinux boolean in the SELinux security server libselinux
load_policy load the active kernel policy policycoreutils
mcstransd daemon that provides translations for levels and categories mcstrans
newrole change your role, type or level, requires re-authentication, suitable for use by user domains policycoreutils
open_init_pty used by run_init to run a process under a new pty policycoreutils
replcon replace all or some of a file context, supports globbing and regex in search fields setools
runcon run a command with a specified SELinux context, does not re-authenticate, suitable for use in scripts to run a service in a different domain coreutils
run_init run an init script in the appropriate domain policycoreutils
seadmin third party gui that wraps semanage functionality seadmin
segatex third party gui that wraps semanage functionality segatex
selinuxenabled Check whether SELinux is currently enabled libselinux
semanage manage several aspects of SELinux including port, interface and node labeling, persistent file context and boolean settings, authorized roles and levels for SELinux users, authorized SELinux users and levels for seusers (login or Linux users), MLS translations and permissive types selinux-python (2.7) or policycoreutils (<= 2.6)
semodule insert, delete and list SELinux policy modules on the running system policycoreutils
setenforce set the enforcing state of the kernel access vector cache libselinux
setroubleshootd a daemon that watches for denials and offers suggestions on fixing them (has multiple frontends including a gnome tray interface) Red Hat
setsebool set the state of an SELinux boolean either temporarilly or persistently policycoreutils
system-config-selinux Red Hat GUI that wraps most semanage functionality Red Hat
togglesebool Toggles an SELinux Boolean, only runtime, not persistently libselinux
update-selinux-conf lets you change the policy SELINUXTYPE in /etc/selinux/config (Ubuntu specific) Ubuntu
update-selinux-policy rebuilds the policy based on the pp files in /etc/selinux.d (Ubuntu specific) Ubuntu
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.