Tresys has and continues to build a number of tools for SELinux. We package these tools, along with a number of associated libraries, in a single distribution called ''SETools''. SETools is an open source project designed to facilitate SELinux policy analysis. The primary tools are:
For the development version, SETools v4, see https://github.com/TresysTechnology/setools/wiki.
The apol program is a graphical tool to analyze a SELinux policy file. Some of the features supported are the ability to browse and search policy components (e.g., types, attributes, object classes, roles, users, and booleans), search through type enforcement and other rules, and view file contexts from a filesystem. Additionally, apol allows you to perform automated, complex analyses of a policy. Current capabilities include domain transition, file relabel, types relationship, and information flow analyses.
The seaudit tool allows users to view SELinux audit messages, search and sort those messages, query a policy for rules related to those messages, and perform real-time monitoring of audit messages. Users may then generate reports on SELinux audit messages in plain text or HTML format.
The companion to seaudit is seaudit-report, an application to generate reports on SELinux audit messages in plain text or HTML format. Reports generated by this tool can be configured to include standard report sections such as policy load messages, enforcement toggles messages, policy Boolean messages, etc. A key feature of the tool is that reports can be further customized through the use of saved seaudit view files. This tool can effectively be used as a plug-in to other audit log analysis tools, such as Logwatch.
The sechecker tool is a command line program for performing modular checks on an SELinux policy and generating a report of potential errors or security concerns. This tool supports the definition of profiles for running multiple modules. Several profiles are provided with the tool, such as one for basic development checks and another for more complex semantic analyses.
SETools contains a library that can find differences between two policies. Two front ends are available, sediff (for the command line) and sediffx (a graphical application). These tools allow a user to take two policies and find semantic differences, including added or removed types, users, roles, Booleans and more importantly, rules. The semantic difference of a policy is different from a syntactic difference in that it shows the cumulative effect of rules rather than doing a line-by-line comparison.
SETools includes a set of command line tools, collectively called ''secmds'', for analyzing an SELinux policy and for searching and replacing SELinux file contexts.