Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This is a command line tool for the configuration file-driven automated policy analysis. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
- Loading branch information
Showing
2 changed files
with
264 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,190 @@ | ||
.TH sechecker 1 2020-06-09 "SELinux Project" "SETools: SELinux Policy Analysis Tools" | ||
|
||
.SH NAME | ||
sechecker \- Configuration-driven automated SELinux policy analysis | ||
|
||
.SH SYNOPSIS | ||
\fBsechecker\fR [OPTIONS] config.ini [POLICY] | ||
|
||
.SH DESCRIPTION | ||
.PP | ||
\fBsechecker\fR is an automated SELinux policy analysis tool. It uses a | ||
configuration file to define one or more analysis checks. | ||
|
||
.SH POLICY | ||
.PP | ||
A single file containing a binary policy. This file is usually named by version | ||
on Linux systems, for example, \fIpolicy.30\fR. This file is usually named | ||
\fIsepolicy\fR on Android systems. If not provided, \fBsechecker\fR will attempt | ||
to locate and open the current policy running on the system. | ||
|
||
.SH OPTIONS | ||
.IP "-o <path>" | ||
Output the results to the specified path instead of stdout. | ||
.IP "-h, --help" | ||
Print help information and exit. | ||
.IP "--version" | ||
Print version information and exit. | ||
.IP "-v, --verbose" | ||
Print additional informational messages. | ||
.IP "--debug" | ||
Enable debugging output. | ||
|
||
.SH RETURN CODES | ||
\fBsechecker\fR has the following return codes: | ||
.TP | ||
.B 0 | ||
All checks passed. | ||
.TP | ||
.B 1 | ||
One or more checks failed. | ||
.TP | ||
.B 2 | ||
Error in the configuration file. | ||
.TP | ||
.B 3 | ||
Other errors, such as policy open error. | ||
|
||
.SH "CONFIGURATION FILE" | ||
The configuration file is in the .ini format. Each section is considered | ||
a check, with the configuration section name being the name of the check. All | ||
checks have the following options: | ||
|
||
.IP "check_type = <name>" | ||
This selects the type of test be be used in this check. This is required. | ||
.IP "desc = <text>" | ||
This is an optional text field. If set, the contents are printed in the output | ||
and is typically used to explain the purpose of the check. | ||
.IP "disable = <text>" | ||
This is an optional text field. If it is set, the check will not run and the | ||
contents of this text will be added to the report to explain why the check | ||
was not ran. | ||
|
||
.SH "TYPE ENFORCEMENT ALLOW RULE ASSERTION" | ||
This checks for the nonexistence of type enforcement allow rules. The check_type | ||
is \fBassert_te\fR. It will run the query and any results from the query, | ||
removing any exempted sources or targets, will be listed as failures. | ||
If a rule has an empty attribute, rendering it useless, it will | ||
be ignored. If a rule has an attribute, it will be considered | ||
a failure unless all of the member types are exempted. | ||
|
||
.PP | ||
Criteria options: | ||
.IP "source = <type or type attribute>" | ||
The source type/attribute criteria for the query. | ||
.IP "target = <type or type attribute>" | ||
The target type/attribute criteria for the query. | ||
.IP "tclass = <type or type attribute>[, ....]" | ||
A comma-separated list of object class criteria for the query. | ||
.IP "perms = <type or type attribute>[, ....]" | ||
A comma-separated list of permissions for the query. | ||
|
||
.PP | ||
\fBA least one of the above options must be set in this check.\fR | ||
|
||
.PP | ||
Additional Options: | ||
|
||
.IP "exempt_source = <type or type attribute>[, ....]" | ||
A comma-separated list of types and type attributes. Rules with these | ||
as the source will be ignored. This is optional. | ||
.IP "exempt_target = <type or type attribute>[, ....]" | ||
A comma-separated list of types and type attributes. Rules with these | ||
as the target will be ignored. This is optional. | ||
|
||
.SH "EMPTY TYPE ATTRIBUTE ASSERTION" | ||
This checks that the specified attribute is empty. This can optionally | ||
be set to also pass if the attribute does not exist. | ||
The check_type is \fBempty_typeattr\fR. | ||
|
||
.PP | ||
Options: | ||
.IP "attr = <type attribute>" | ||
The type attribute to check. This is required. | ||
.IP "missing_ok = <type attribute>" | ||
Consider the check passing if the attribute does not exist. | ||
This is optional. Default is false. | ||
|
||
.SH "READ-ONLY EXECUTABLES ASSERTION" | ||
This checks that all file types that are executable are read-only. | ||
The check_type is \fBro_execs\fR. | ||
|
||
.PP | ||
Options: | ||
.IP "exempt_file = <type or type attribute>[, ....]" | ||
A comma-separated list of types and type attributes. These | ||
will not be considered executable. This is optional. | ||
.IP "exempt_exec_domain = <type or type attribute>[, ....]" | ||
A comma-separated list of types and type attributes. Rules with these | ||
as the source will be ignored if they allow file execute permission. | ||
This is optional. | ||
.IP "exempt_write_domain = <type or type attribute>[, ....]" | ||
A comma-separated list of types and type attributes. Rules with these | ||
as the source will be ignored if they allow file write or append permissions | ||
on types determined executable. This is optional. | ||
|
||
.SH "CONFIGURATION EXAMPLES" | ||
|
||
.PP | ||
\fBExample\ \&1.\ \&A check called "no_unconfined" that will determine if the | ||
domain_unconfined_type attribute is empty or missing.\fR | ||
.sp | ||
.if n \{\ | ||
.RS 4 | ||
.\} | ||
.nf | ||
[no_unconfined] | ||
check_type = empty_typeattr | ||
desc = Verify that the domain_unconfined_type attribute is missing or empty. | ||
attr = domain_unconfined_type | ||
missing_ok = True | ||
.fi | ||
.if n \{\ | ||
.RE | ||
.\} | ||
|
||
.PP | ||
\fBExample\ \&2.\ \&A check called "ro_execs" that will determine if all | ||
executable types are read-only.\fR | ||
.sp | ||
.if n \{\ | ||
.RS 4 | ||
.\} | ||
.nf | ||
[ro_execs] | ||
check_type = empty_typeattr | ||
desc = Verify that the all executables and libraries are read-only. | ||
.fi | ||
.if n \{\ | ||
.RE | ||
.\} | ||
|
||
.PP | ||
\fBExample\ \&3.\ \&A check called "execheap" that will determine that | ||
there are no domains with the execheap permission except for | ||
unconfined_execheap_t.\fR | ||
.sp | ||
.if n \{\ | ||
.RS 4 | ||
.\} | ||
.nf | ||
[execheap] | ||
check_type = assert_te | ||
desc = Verify no domains have executable heap. | ||
tclass = process | ||
perms = execheap | ||
exempt_source = unconfined_execheap_t | ||
.fi | ||
.if n \{\ | ||
.RE | ||
.\} | ||
.PP | ||
|
||
.SH AUTHOR | ||
Chris PeBenito <chpebeni@linux.microsoft.com> | ||
|
||
.SH BUGS | ||
Please report bugs via the SETools bug tracker, https://github.com/SELinuxProject/setools/issues | ||
|
||
.SH SEE ALSO | ||
apol(1), sediff(1), sedta(1), seinfo(1), seinfoflow(1), sesearch(1) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
#!/usr/bin/env python3 | ||
# Copyright 2020 Microsoft Corporation | ||
# | ||
# This file is part of SETools. | ||
# | ||
# SETools is free software: you can redistribute it and/or modify | ||
# it under the terms of the GNU General Public License as published by | ||
# the Free Software Foundation, either version 2 of the License, or | ||
# (at your option) any later version. | ||
# | ||
# SETools is distributed in the hope that it will be useful, | ||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
# GNU General Public License for more details. | ||
# | ||
# You should have received a copy of the GNU General Public License | ||
# along with SETools. If not, see <http://www.gnu.org/licenses/>. | ||
# | ||
|
||
import setools | ||
import argparse | ||
import sys | ||
import logging | ||
import signal | ||
|
||
signal.signal(signal.SIGPIPE, signal.SIG_DFL) | ||
|
||
parser = argparse.ArgumentParser(description="SELinux policy checker tool.") | ||
parser.add_argument("--version", action="version", version=setools.__version__) | ||
parser.add_argument("config", help="Path to the checker configuration file.") | ||
parser.add_argument("policy", help="Path to the SELinux policy to check.", nargs="?") | ||
parser.add_argument("-o", "--output_file", help="Path to log output.", required=False) | ||
parser.add_argument("-v", "--verbose", action="store_true", | ||
help="Print extra informational messages") | ||
parser.add_argument("--debug", action="store_true", dest="debug", help="Enable debugging.") | ||
|
||
args = parser.parse_args() | ||
|
||
if args.debug: | ||
logging.basicConfig(level=logging.DEBUG, | ||
format='%(asctime)s|%(levelname)s|%(name)s|%(message)s') | ||
elif args.verbose: | ||
logging.basicConfig(level=logging.INFO, format='%(message)s') | ||
else: | ||
logging.basicConfig(level=logging.WARNING, format='%(message)s') | ||
|
||
try: | ||
p = setools.SELinuxPolicy(args.policy) | ||
c = setools.PolicyChecker(p, args.config) | ||
|
||
if args.output_file: | ||
with open(args.output_file, "w") as fd: | ||
failures = c.run(output=fd) | ||
|
||
else: | ||
failures = c.run() | ||
|
||
sys.exit(1 if failures else 0) | ||
|
||
except setools.exception.InvalidCheckerConfig as err: | ||
if args.debug: | ||
raise | ||
else: | ||
print(err) | ||
|
||
sys.exit(2) | ||
|
||
except Exception as err: | ||
if args.debug: | ||
raise | ||
else: | ||
print(err) | ||
|
||
sys.exit(3) |