This repository has been archived by the owner. It is now read-only.
SELinux Policy Analysis Tools v3
C Tcl C++ Objective-C CSS Python
pebenito Update for 2015-02-02 Userspace release (2.4)
SETools now requires libsepol 2.4 and libselinux 2.4.
Latest commit f1e5b20 Feb 12, 2015
Failed to load latest commit information.
apol setools: Update to load v29 policy source files. Apr 25, 2014
debian Yet another compile error, found on FC8. Aug 15, 2008
libapol Make the SWIG files compatible with SWIG 3 Feb 6, 2015
libpoldiff Make the SWIG files compatible with SWIG 3 Feb 6, 2015
libqpol Update for 2015-02-02 Userspace release (2.4) Feb 12, 2015
libseaudit Make the SWIG files compatible with SWIG 3 Feb 6, 2015
libsefs setools: APOL Add default_objects and CIL policy namespaces tabs Apr 25, 2014
m4 Ensure architecture independent parts of python SWIG wrapper get inst… Mar 12, 2010
man Update man pages and getopts Jan 8, 2013
packages Final prep for 3.3.7 release Apr 30, 2010
python Fix setools python dependencies Jan 8, 2013
seaudit rhbz 832660 - applied patch preventing seaudit from starting Jan 11, 2013
sechecker Merged SETools 3.3.3 into trunk. Feb 22, 2008
secmds Update for 2015-02-02 Userspace release (2.4) Feb 12, 2015
sediff Remove deprecated use of g_cond_timed_wait which prevented sediffx fr… Jan 16, 2014
AUTHORS Documentation updates before release. May 3, 2010
COPYING Merged setools-devel into trunk. Feb 6, 2007
COPYING.GPL Merged setools-devel into trunk. Feb 6, 2007
COPYING.LGPL Merged setools-devel into trunk. Feb 6, 2007
ChangeLog setools: Update to load v29 policy source files. Apr 25, 2014
KNOWN-BUGS More minor tweaks for upcoming release. Aug 15, 2008 Add python bindings for seinfo and sesearch Jan 8, 2013
NEWS trunk: final prep for release. Jul 22, 2009
README Switching svn references to git May 16, 2014
TODO Merged SETools 3.3 into trunk. Aug 2, 2007 setools: initial checkin of comprehensive overhaul of build system Bu… May 22, 2006 Update for 2015-02-02 Userspace release (2.4) Feb 12, 2015


SETools - Policy analysis tools for SELinux (C) 2001-2014
Tresys Technology,


1. Overview
2. Installation
  2.1. compiling from official distribution
  2.2. compiling from git clone 
  2.3. configure flags
  2.4. using development version of SELinux
  2.5. Logwatch support
  2.6. doxygen support
3. Features
  3.1. graphical tools
  3.2. command-line tools
  3.3. analysis libraries
4. Obtaining SETools
5. Reporting bugs
6. Copyright license

1. Overview

This file describes SETools, developed by Tresys Technology.  SETools
is a collection of graphical tools, command-line tools, and libraries
designed to facilitate SELinux policy analysis.  Although SETools is
primarily targeted for Red Hat-based systems, it should also work for
Gentoo and Debian distributions.  See the file KNOWN-BUGS for testing

SETools includes the following graphical tools, command-line tools,
and libraries:

  apol          policy analysis tool
  libapol       policy analysis library
  libpoldiff    semantic policy difference library
  libqpol       library that abstracts policy internals
  libseaudit    parse and filter SELinux audit messages in log files
  libsefs       open and search SELinux file contexts
  seaudit       audit log analysis tools: seaudit and seaudit-report
  sechecker     SELinux policy checking tool
  secmds        command line tools: seinfo, sesearch, findcon,
                replcon, and indexcon
  sediff        semantic policy difference tools: sediff and sediffx

Each of these components is in a subdirectory under the top-level
source directory, along with supporting pieces in the following

  man           manual pages for SETools commands
  packages      miscellaneous support for external packages

In addition the top-level source directory contains various pieces of
documentation.  Please consult the file KNOWN-BUGS in this directory
prior to filing any bug reports.

2. Installation

SETools uses the GNU build system to configure, compile, and install.
As such it contains a configure script that will verify its
dependencies.  SETools requires the following development packages for
  pkg-config 0.23 or greater
  libselinux 2.0.87 or greater
  libsepol 2.0.38 or greater
  libsepol-static 2.0.38 or greater
  sqlite 3.6.20 or greater

These packages are needed to build SETools's graphical tools:
  swig 1.3.28 or greater
  bwidget 1.8 or later
  tcl-devel 8.4.9 or greater
  tk-devel 8.4.9 or greater
  gtk2-devel 2.8 or greater

To build additional SETools SWIG wrappers, these packages are
  Java JDK 1.2 or greater
  python-devel 2.3 or greater

Apol requires BWidget 1.7 or greater to run.  The BWidget toolkit is
part of the tcllib package and is often not present in Linux
distributions; the toolkit may be freely downloaded at  The supplied configure script attempts
to detect the version of BWidget installed.  If it is not found then
SETools will use the prepackaged one found within the 'packages'
subdirectory.  In some situations the toolkit will not be
automatically found; if you are sure that BWidget is present then
specify --disable-bwidget-check to the configure script.

2.1. compiling from official distribution

The official, stable source distribution is available from  Untar and uncompress the
distribution, and perform the following.

  $ cd setools-3.3.7
  $ ./configure
  $ make
  $ make install

This will put the binaries in /usr/local/bin, data files in
/usr/local/share/setool-3.3, and libraries in /usr/local/lib.
Assuming that /usr/local/bin is in your $PATH and /usr/local/lib in
$LD_LIBRARY_PATH everything should now work.

2.2. compiling from git clone 

If you prefer the bleeding edge of SETools development, you could
instead obtain the development version of SETools from the git 
repository (see Section 4).

  $ cd setools
  $ autoreconf -i -s
  $ ./configure
  $ make
  $ make install

You will need a recent version of autoconf to create the configure
script.  SETools was written using autoconf-2.60, although
autoconf-2.59 also seems to work correctly albeit with a build

As SETools uses the GNU build system, other make targets are
available.  `make install-strip' will strip unneeded symbols from
installed binaries.  `make uninstall' removes files written by an
earlier install.

2.3. configure flags

You can customize your SETools build using the flags given to
`configure'.  Notable options include:

      All code will be compiled using static libraries and the gcc
      flags '-g3 -gdwarf-2 -O0'.  This flag is useful for tracking
      down issues.

      Build only the command-line tools: seinfo, sesearch, findcon,
      indexcon, replcon, sechecker, and sediff.

      Assume that BWidget 1.8 is installed on the system.  The
      configure script normally tries to launch a Tcl script that
      loads BWidget, which requires a running X session.  You will
      need this flag if compiling in a non-X environment.

      Disable the build-time check for SELinux.  In rare
      circumstances the build computer will not have SELinux
      running, resulting in 'configure' producing a warning and
      disable parts of SETools.  By specifying this flag,
      'configure' will not disable parts of SETools.

      Build SWIG interfaces for Java.  This permits third-party
      developers who prefer Java to use the SETools libraries for
      their own projects.

      Build SWIG interfaces for Python.  This permits third-party
      developers who prefer Python to use the SETools libraries for
      their own projects.

      Build SWIG interfaces for Tcl.  This is needed for the apol
      tool.  By default this flag is enabled.

      Look for libsepol source files in PATH.  Use this flag when
      compiling against a development version of SELinux (see
      Section 2.4).  Note that if --enable-sepol-src and
      --with-sepol-devel are both specified then this flag takes

      Look for Tcl development files in PATH.  Debian users will
      need to specify this flag, as Tcl 8.4 is typically located at

      Look for Tk development files in PATH.  Debian users will need
      to specify this flag, as Tk 8.4 is typically located at

      Look for libsepol header files in PATH/include and library in
      PATH/lib64 and PATH/lib.  Note that if --enable-sepol-src and
      --with-sepol-devel are both specified then --enable-sepol-src
      takes precedence.

      Look for libselinux header files in PATH/include and library
      in PATH/lib64 and PATH/lib.

      Explicitly use PATH as the default SELinux policy source file,
      instead of inferring its location based upon the return value
      of selinux_policy_root().

      Use the policies in PATH as input to the SETools tests; these
      tests are invoked upon `make check'.

Of course, `configure' accepts other usual flags such as --prefix.

2.4. Using a development version of SELinux

As SELinux is a rapidly evolving project, you may wish to use a
version of that is newer than the one installed to
/usr/lib.  To support different versions of libsepol, SETools can be
configured to compile against a specific version of libsepol using the
--enable-sepol-src flag.  For example, suppose you have a SELinux SVN
checkout and compilation like the following:

  $ cd /home/gburdell
  $ svn co selinux
  $ cd selinux/libsepol
  $ make

You can compile SETools against this particular copy of libsepol:

  $ cd /home/gburdell/setools
  $ ./configure --enable-sepol-src=/home/gburdell/selinux/libsepol

Note that --enable-sepol-src will override the flag

2.5. Logwatch support

Integrating SETools with Logwatch can provide an effective IDS
solution by automating customized audit reports and having them
emailed to a specific recipient(s) for further analysis.  You can
integrate SETools into Logwatch using the seaudit-report plugin by
specifying the `make install-logwatch' target.  This target installs
the configuration necessary for having seaudit-report run as a
Logwatch service.  The configuration files are part of the SETools
source distribution, located in the seaudit subdirectory, and include:

      logfile group configuration file

      service filter config file

      service filter script

Make sure the Logwatch program is installed before proceeding with
using this install target.

2.6. doxygen support

All externally exported library functions include doxygen-style tags
in the documentation.  To produce your own HTML outputs when writing
third-party tools, use the doxygen configuration file located in
packages/Doxyfile; it directs generated output to /tmp/setools.  From
the top-level source directory do:

  $ doxygen packages/Doxyfile

3. Features

SETools encompasses a number of tools, both graphical and command
line, and libraries.  Many of the programs have help files accessible
during runtime.

3.1. graphical tools

The main emphasis of SETools is the graphical analysis tools.

      A Tcl/Tk graphical analysis tool.  Use it to open a SELinux
      policy, examine the policy's components and rules, and perform
      various types of analyses.

      A GTK+ graphical audit log analysis tool for SELinux.  This
      tool allows users to sort and filter the system's audit log,
      query the policy based on audit messages, and export audit log
      messages to a file.  The tool can also create reports in HTML
      or plaintext format using an entire audit log or an seaudit
      view.  Note that this program is installed in $(PREFIX)/sbin
      because its main function is to analyze /var/log/audit/audit.log.

      A GTK+ graphical tool to semantically compare two policies.
      Use sediffx to open two SELinux policies, find differences
      between them, and then show those results.

3.2. command-line tools

Some tools in the SETools suite may be run in a non-windowing
environment.  The first six tools listed below are located in the
secmds subdirectory; the rest are in their own directories.

      A tool to quickly get a list of components from a SELinux

      A tool to search rules (allow, type_transition, etc.) and constraints 
      within a SELinux policy.

      A tool to search files with a matching SELinux file context.
      The tool can search a filesystem directly, a file_contexts file,
      or a database as created by indexcon.

      A tool to search the filesystem, replacing a matched file's
      context with a different one.

      A tool to create a database that indexes the security contexts
      of a SELinux filesystem.

      A tool for performing modular checks on an SELinux policy.
      Sechecker supports configuration profiles to specify multiple
      modules and generates a report of potential issues within a

      A tool for generating reports on SELinux audit messages in
      plaintext or HTML format.  Reports generated by this tool can
      be configured to include standard report sections such as
      policy load messages, enforcement toggles messages, policy
      boolean messages, etc.  A key feature of the tool is that
      reports can be further customized through the use of saved
      seaudit view files.  The tool can effectively be used as a
      plugin to other audit log analysis tools, such as the Logwatch

      A tool to load two SELinux policies, find differences between
      them, and then show those results.  The tool provides a
      command-line interface to libpoldiff.

3.3. analysis libraries

The SETools support libraries (libapol, libpoldiff, libqpol,
libseaudit, and libsefs) are available for use in third-party
applications.  Although they are not officially supported (and thus
subject to change between SETools releases), we will do our best to
maintain compatibility beginning with SETools version 3.0.

      Abstract the internals of an SELinux policy behind a
      consistent interface, such that changes to the policy
      representation (as governed by libsepol) do not affect
      analysis tools.

      Work with libqpol to perform higher-order analyses of a
      policy.  A typical sequence for an analysis tool is:
          open a policy via apol_policy_open()
          execute some query via apol/policy-query.h
          obtain detailed results via qpol/policy_query.h
          close the policy via apol_policy_destroy()

      Parse and store SELinux audit messages.  Its chief users are
      seaudit and seaudit-report.

      Accept two SELinux policies and finds differences between
      them.  Its main users are sediff and sediffx.

      Create a represention of file contexts, by reading contexts
      directly from a filesystem, from a file_contexts file, or from a
      specially formatted database.  Queries can then be created and
      executed against those file contexts

These libraries have SWIG wrappers that are built if
--enable-swig-java, --enable-swig-python, and/or --enable-swig-tcl are
given during configuration time.  The generated Java wrappers will be
in placed $PREFIX/lib; symlinks to jar files will be in
$PREFIX/share/java.  Python wrappers will be installed to Python's
site-packages directory.  Tcl wrappers are built as Tcl packages
(e.g., `package require apol') and placed in $PREFIX/lib/setools.

4. Obtaining SETools

Official releases of SETools may be freely downloaded from Tresys's
Open Source Software website,

Tresys builds RPM packages of SETools.  They may also be obtained from
the website listed above.

SETools source code is maintained within a git repository.
From the command line do:

  $ git clone

You may also browse the git repository at

Other binary releases SETools are available for your favorite Linux
packaging system from third-party sources.  Gentoo users have an
ebuild script for SETools.  Debian maintains the dpkg "setools" in
section admin, priority optional.

5. Reporting bugs

If you found a bug, have a suggestion, or otherwise would like to
comment upon SETools, please email  We will
respond to you as soon as possible.

6. Copyright license

The intent is to allow free use of this source code.  All programs'
source files are copyright protected and freely distributed under the
GNU General Public License (see COPYING.GPL).  All library source
files are copyright under the GNU Lesser General Public License (see
COPYING.LGPL).  Absolutely no warranty is provided or implied.