SETools - Policy Analysis Tools for SELinux

Tresys has and continues to build a number of tools for SELinux. We package these tools, along with a number of associated libraries, in a single distribution called SETools. SETools is an open source project designed to facilitate SELinux policy analysis. The primary tools are:

  • apol - analyze a SELinux policy.
  • seaudit - analyze audit messages from SELinux.
  • seaudit-report - generate highly-customized audit log reports.
  • sechecker - command line tool for performing modular checks on an SELinux policy.
  • sediff - semantic policy difference tool for SELinux.
  • secmds - command-line tools to analyze and search SELinux policy.
apol

The apol program is a graphical tool to analyze a SELinux policy file. Some of the features supported are the ability to browse and search policy components (e.g., types, attributes, object classes, roles, users, and booleans), search through type enforcement and other rules, and view file contexts from a filesystem. Additionally, apol allows you to perform automated, complex analyses of a policy. Current capabilities include domain transition, file relabel, types relationship, and information flow analyses.

seaudit

The seaudit tool allows users to view SELinux audit messages, search and sort those messages, query a policy for rules related to those messages, and perform real-time monitoring of audit messages. Users may then generate reports on SELinux audit messages in plain text or HTML format.

seaudit-report

The companion to seaudit is seaudit-report, an application to generate reports on SELinux audit messages in plain text or HTML format. Reports generated by this tool can be configured to include standard report sections such as policy load messages, enforcement toggles messages, policy boolean messages, etc. A key feature of the tool is that reports can be further customized through the use of saved seaudit view files. This tool can effectively be used as a plug-in to other audit log analysis tools, such as Logwatch.

sechecker

The sechecker tool is a command line program for performing modular checks on SELinux policy and generaing a report of potential errors or security concerns. This tool supports the definition of profiles for running multiple modules. Several profiles are provided with the tool, such as one for basic development checks and another for more complex semantic analyses.

sediff and sediffx

SETools contains a library that can find differences between two policies. Two front ends are available, sediff (for the command line) and sediffx (a graphical application). These tools allow a user to take two policies and find semantic differences, including added or removed types, users, roles, booleans and more importantly, rules. The semantic difference of a policy is different from a syntactic difference in that it shows the cumulative effect of rules rather than doing a line-by-line comparison.

secmds

SETools includes a set of command line tools, collectively called secmds, for analyzing a SELinux policy and for searching and replacing SELinux file contexts.

  • seinfo is a tool for looking at an SELinux policy and viewing various component elements and statistics. (Screenshot)
  • sesearch is a tool to search for rules (such as allow, type_change, and range_transition) in an SELinux policy. (Screenshot)
  • findcon is a tool for performing a SELinux file context search upon a filesystem, a file_contexts file, or a database generated by indexcon. This tool allows searches for files that match a particular user, type, path, and so forth. The search string can specify complete contexts, partial contexts, and shell globbing style wildcards. (Screenshot)
  • replcon is a tool for replacing file contexts. This tool uses the same searching paramaters as findcon, but will then replace the context or part of the context on the matched filesystem objects. (Screenshot)
  • indexcon is a tool for creating a snapshot of security contexts for SELinux filesystem entities. (Screenshot)