Clone this wiki locally
SETools v3 - Policy Analysis Tools for SELinux
Tresys has and continues to build a number of tools for SELinux. We package these tools, along with a number of associated libraries, in a single distribution called ''SETools''. SETools is an open source project designed to facilitate SELinux policy analysis. The primary tools are:
- apol - analyze an SELinux policy.
- seaudit - analyze audit messages from SELinux.
- seaudit-report - generate highly-customized audit log reports.
- sechecker - command line tool for performing modular checks on an SELinux policy.
- sediff - semantic policy difference tool for SELinux.
- secmds - command-line tools to analyze and search SELinux policy.
For the development version, SETools v4, see https://github.com/TresysTechnology/setools/wiki.
The apol program is a graphical tool to analyze a SELinux policy file. Some of the features supported are the ability to browse and search policy components (e.g., types, attributes, object classes, roles, users, and booleans), search through type enforcement and other rules, and view file contexts from a filesystem. Additionally, apol allows you to perform automated, complex analyses of a policy. Current capabilities include domain transition, file relabel, types relationship, and information flow analyses.
- Further information on apol.
- Screenshot of showing a policy summary
- Screenshot of searching for rules.
- Screenshot of performing a domain transition analysis.
- Screenshot of performing a transitive information flow analysis.
The seaudit tool allows users to view SELinux audit messages, search and sort those messages, query a policy for rules related to those messages, and perform real-time monitoring of audit messages. Users may then generate reports on SELinux audit messages in plain text or HTML format.
- Further information on seaudit.
- Screenshot examining audit messages.
- Screenshot of creating a filter.
The companion to seaudit is seaudit-report, an application to generate reports on SELinux audit messages in plain text or HTML format. Reports generated by this tool can be configured to include standard report sections such as policy load messages, enforcement toggles messages, policy Boolean messages, etc. A key feature of the tool is that reports can be further customized through the use of saved seaudit view files. This tool can effectively be used as a plug-in to other audit log analysis tools, such as Logwatch.
The sechecker tool is a command line program for performing modular checks on an SELinux policy and generating a report of potential errors or security concerns. This tool supports the definition of profiles for running multiple modules. Several profiles are provided with the tool, such as one for basic development checks and another for more complex semantic analyses.
- Further information on sechecker.
- Screenshot of sechecker.
- Screenshot of available sechecker modules.
- Screenshot of a sechecker report.
sediff and sediffx
SETools contains a library that can find differences between two policies. Two front ends are available, sediff (for the command line) and sediffx (a graphical application). These tools allow a user to take two policies and find semantic differences, including added or removed types, users, roles, Booleans and more importantly, rules. The semantic difference of a policy is different from a syntactic difference in that it shows the cumulative effect of rules rather than doing a line-by-line comparison.
- Further information on sediff and sediffx.
- Screenshot of sediffx finding modified MLS levels.
- Screenshot of sediffx returning line numbers of modified AV rules.
- Screenshot of sediffx's Remap Types dialog.
SETools includes a set of command line tools, collectively called ''secmds'', for analyzing an SELinux policy and for searching and replacing SELinux file contexts.
- seinfo is a tool for looking at an SELinux policy and viewing various component elements and statistics. (Screenshot)
- sesearch is a tool to search for rules (such as allow, type_change, and range_transition) in an SELinux policy. (Screenshot)
- findcon is a tool for performing an SELinux file context search upon a filesystem, a file_contexts file, or a database generated by indexcon. This tool allows searches for files that match a particular user, type, path, and so forth. The search string can specify complete contexts, partial contexts, and shell globbing style wildcards. (Screenshot)
- replcon is a tool for replacing file contexts. This tool uses the same searching paramaters as findcon, but will then replace the context or part of the context on the matched filesystem objects. (Screenshot)
- indexcon is a tool for creating a snapshot of security contexts for SELinux filesystem entities. (Screenshot)