-
Notifications
You must be signed in to change notification settings - Fork 382
Tools
Analysis tools are primarily used to analyze the kernel policy (either the on-disk policy file or the kernel's in-memory policy via /sys/fs/selinux/policy) for certain criteria, for example information flow. These tools form the basis on which we can make claims concerning the security properties of an SELinux system. They are required on development systems being used to analyze a target policy, and are rarely installed on production systems.
| Tool name | Description | Package |
| apol | perform many analyses on the target policy including domain transition, information flow, standard queries, filesystem analysis and so on | setools-gui |
| sechecker | configuration-driven automated policy analysis | setools-console |
| sediff | perform a semantic difference between two policies | setools-console |
| sedta | perform domain transition analysis on a policy | setools-console-analyses |
| seinfo | query the components of a SELinux policy | setools-console |
| seinfoflow | perform information flow analysis on a policy | setools-console-analyses |
| sesearch | search a policy file for various policy rules or components such as allow rules, symbols, etc | setools-console |
Build time tools are used during building a policy from source into modules or a monolithic kernel policy. They are required on systems that intend to build policies from source, including production systems that use tools such as audit2allow to add new policy rules at runtime. They are not required on typical non-developer end-systems.
| Tool name | Description | Package |
| checkmodule | compile a binary policy module from a module source file | checkpolicy |
| checkpolicy | compile a kernel policy from a policy source file | checkpolicy |
| semodule_package | create a binary policy package from a binary module and optionally zero or more of file contexts, seusers, user_extra, and/or netfilter_contexts file | semodule-utils (since 2.7 upstream) or policycoreutils (< 2.7 upstream or any version in Fedora) |
| semodule_unpackage | extract the binary policy module and optionally the file contexts file from a binary policy package | semodule-utils (since 2.7 upstream) or policycoreutils (< 2.7 upstream or any version in Fedora) |
| secilc | compile a binary kernel policy from a Common Intermediate Language (CIL) policy module | secilc |
Development tools are used when writing SELinux policy and are typically installed on development systems or end-systems during development and testing. Some tools are more focused on typical end-users while others are more focused on experienced kernel or policy developers. For example audit2allow may be used by typical end users to create policies from audit messages while sedispol would generally only be used by kernel or policy developers to inspect specific components of a kernel policy.
| Tool name | Description | Source |
| audit2allow | used to read SELinux denials and show corresponding rules | selinux-python (upstream) or policycoreutils-python-utils (Fedora) |
| audit2why | determine why a denial occured, for example if it was caused by a constraint, requires a kernel policy | selinux-python (upstream) or policycoreutils-python-utils (Fedora) |
| getconlist | list all SELinux contexts reachable for the specified user from the current or specified context | libselinux-utils (as selinuxconlist) |
| getdefaultcon | display the default SELinux context for the specified user from the specified context | libselinux-utils (as selinuxdefcon) |
| getpolicyload | display the maximum policy version supported by the kernel for loading | libselinux-utils |
| matchpathcon | query the active filecontext file for how a particular path should be labeled | libselinux |
| secon | see the context of an selinux object (file, process, key) | policycoreutils |
| dismod | query various parts of a compiled policy module or policy package (distributed as sedismod on Fedora and RHEL) | checkpolicy |
| dispol | query various parts of a compiled kernel policy (distributed as sedispol on Fedora and RHEL) | checkpolicy |
| selinux_check_secure_tty_context | Check whether a tty context is a securetty context | libselinux |
| semodule_expand | expand a base policy module into a kernel policy | semodule-utils (2.7 upstream) or policycoreutils (<= 2.6 upstream or any version Fedora) |
| semodule_link | link a list of policy modules together | semodule-utils (>= 2.7 upstream) or policycoreutils (<= 2.6 upstream or any version Fedora) |
| sepolgen-ifgen | generate the interface file that audit2allow uses to match interfaces to rules when generating refpolicy style policy modules | selinux-python (>= 2.7 upstream) or policycoreutils-devel (<= 2.6 or Fedora) |
Relabeling tools are used to relabel files given different kinds of inputs. Some tools simply take a context while others query the active file_contexts file on the system. Some are able to look at the package data of the distribution they are using to get a list of files to be relabeled. Not included in this list is the init script or systemd unit file used on some systems to relabel a filesystem automatically at boot time when necessary.
| Tool name | Description | Source |
| chcon | change the context or part of a context on a file | coreutils |
| chcat | change the categories on a file, or the authorized categories for a user | selinux-python (2.7) or policycoreutils-python-utils (<= 2.6 upstream or any version Fedora) |
| fixfiles | relabel files or verify file labels based on rpm package name or path; uses active file_context file | policycoreutils |
| rlpkg | relabel files based on gentoo package (gentoo specific) | gentoo |
| restorecon | relabel files based on path | policycoreutils |
| restorecond | daemon that uses inotify to relabel files at runtime | restorecond (2.7) or policycoreutils-restorecond (<= 2.6 upstream or any version Fedora) |
| setfiles | relabel files based on path, must provide file_contexts file or verify file context file validity against binary policy | policycoreutils |
Runtime tools are used at runtime on end-systems to change or view the running behavior of SELinux. Some may not be installed on end-systems such as setroubleshootd (only useful if end users need help debugging policy denials beyond audit2why/audit2allow) and mctransd (only needed on systems employing MCS/MLS label translation configurations).
| Tool name | Description | Source |
| avcstat | give statistics about the in-kernel access vector cache, such as number of lookups, hits and misses | libselinux-utils |
| genhomedircon | generate user home directory file contexts based on template file contexts (HOMEDIR, HOMEROOT, etc) | policycoreutils |
| getenforce | get the enforcing state of the kernel access vector cache | libselinux-utils |
| getsebool | get the current state of an SELinux boolean in the SELinux security server | libselinux-utils |
| load_policy | load the active kernel policy | policycoreutils |
| mcstransd | daemon that provides translations for levels and categories | mcstrans |
| newrole | change your role, type or level, requires re-authentication, suitable for use by user domains | policycoreutils |
| open_init_pty | used by run_init to run a process under a new pty | policycoreutils |
| runcon | run a command with a specified SELinux context, does not re-authenticate, suitable for use in scripts to run a service in a different domain | coreutils |
| run_init | run an init script in the appropriate domain | policycoreutils |
| sefcontext_compile | compile file contexts configurations to a binary version for faster lookup | libselinux-utils |
| selinuxenabled | Check whether SELinux is currently enabled | libselinux |
| semanage | manage several aspects of SELinux including port, interface and node labeling, persistent file context and boolean settings, authorized roles and levels for SELinux users, authorized SELinux users and levels for seusers (login or Linux users), MLS translations and permissive types | selinux-python (2.7) or policycoreutils (<= 2.6) |
| semodule | insert, delete and list SELinux policy modules on the running system | policycoreutils |
| sestatus | get several pieces of information about the running state of SELinux including enabled status, enforcing/permissive, policy name and contexts of various important processes and files | policycoreutils |
| setenforce | set the enforcing state of the kernel access vector cache | libselinux |
| setroubleshootd | a daemon that watches for denials and offers suggestions on fixing them (has multiple frontends including a gnome tray interface) | Red Hat |
| setsebool | set the state of an SELinux boolean either temporarilly or persistently | policycoreutils |
| system-config-selinux | Red Hat GUI that wraps most semanage functionality | Red Hat |
| togglesebool | Toggles an SELinux Boolean, only runtime, not persistently | libselinux |