-
Notifications
You must be signed in to change notification settings - Fork 380
Tools
Analysis tools are primarily used to analyze the kernel policy (either the on-disk policy file or the kernel's in-memory policy via /sys/fs/selinux/policy) for certain criteria, for example information flow. These tools form the basis on which we can make claims concerning the security properties of an SELinux system. They are required on development systems being used to analyze a target policy, and are rarely installed on production systems.
| Tool name | Description | Package |
| apol | perform many analyses on the target policy including domain transition, information flow, standard queries, filesystem analysis and so on | setools-gui |
| sechecker | configuration-driven automated policy analysis | setools-console |
| sediff | perform a semantic difference between two policies | setools-console |
| sedta | perform domain transition analysis on a policy | setools-console-analyses |
| seinfo | query the components of a SELinux policy | setools-console |
| seinfoflow | perform information flow analysis on a policy | setools-console-analyses |
| sesearch | search a policy file for various policy rules or components such as allow rules, symbols, etc | setools-console |
Build time tools are used during building a policy from source into modules or a monolithic kernel policy. They are required on systems that intend to build policies from source, including production systems that use tools such as audit2allow to add new policy rules at runtime. They are not required on typical non-developer end-systems.
| Tool name | Description | Package |
| checkmodule | compile a binary policy module from a module source file | checkpolicy |
| checkpolicy | compile a kernel policy from a policy source file | checkpolicy |
| semodule_package | create a binary policy package from a binary module and optionally zero or more of file contexts, seusers, user_extra, and/or netfilter_contexts file | semodule-utils (upstream) or policycoreutils (Fedora) |
| semodule_unpackage | extract the binary policy module and optionally the file contexts file from a binary policy package | semodule-utils (upstream) or policycoreutils (Fedora) |
| secilc | compile a binary kernel policy from a Common Intermediate Language (CIL) policy module | secilc |
Development tools are used when writing or debugging SELinux policy and are typically installed on development systems or end-systems during development and testing. Some tools are more focused on typical end-users while others are more focused on experienced kernel or policy developers. For example, audit2allow may be used by typical end users to create policies from audit messages, while sedispol would generally only be used by kernel or policy developers to inspect specific components of a kernel policy.
| Tool name | Description | Package |
| audit2allow | generate allow rules from SELinux AVC audit messages | selinux-python (upstream) or policycoreutils-python-utils (Fedora) |
| audit2why | diagnose the cause of SELinux AVC audit messages via policy analysis | selinux-python (upstream) or policycoreutils-python-utils (Fedora) |
| dismod | query various parts of a compiled policy module or policy package | checkpolicy (as sedismod in Fedora) |
| dispol | query various parts of a compiled kernel policy | checkpolicy (as sedispol in Fedora) |
| getconlist | list all SELinux contexts reachable for the specified user from the current or specified context | libselinux-utils (as selinuxconlist in Fedora) |
| getdefaultcon | display the default SELinux context for the specified user from the specified context | libselinux-utils (as selinuxdefcon in Fedora) |
| getpolicyload | display the maximum policy version supported by the kernel for loading | libselinux-utils |
| matchpathcon | query the active file_contexts file for how a particular path should be labeled | libselinux-utils |
| selabel_compare | compare two label configuration files | libselinux-utils |
| selabel_digest | compute digests for a label configuration | libselinux-utils |
| selabel_get_digests_all_partial_matches | check directory digest xattr against digest from labeling configuration | libselinux-utils |
| selabel_lookup | look up the label for a given key in a label configuration | libselinux-utils |
| selabel_lookup_best_match | look up the best matching context for a path with multiple links | libselinux-utils |
| selabel_partial_match | determine whether a partial match is possible for a path | libselinux-utils |
| selinuxexeccon | display the SELinux context that would be used for an executable from the current or specified context | libselinux-utils |
| selinux-polgengui | GUI for policy generation | selinux-gui (upstream) or policycoreutils-gui (Fedora) |
| selinux_check_access | check whether the specified permission is allowed | libselinux-utils |
| semodule_expand | expand a base policy module into a kernel policy | semodule-utils (upstream) or policycoreutils (Fedora) |
| semodule_link | link a list of policy modules together | semodule-utils (upstream) or policycoreutils (Fedora) |
| sepolgen | generate a policy module | selinux-python (upstream) or policycoreutils-devel (Fedora) |
| sepolgen-ifgen | generate the interface file that audit2allow uses to match interfaces to rules when generating refpolicy style policy modules | selinux-python (upstream) or policycoreutils-devel (Fedora) |
| sepolicy | front-end for inspecting or generating policy | selinux-python (upstream) or policycoreutils-devel (Fedora) |
| validatetrans | validate a context transition against policy | libselinux-utils |
Relabeling tools are used to relabel files given different kinds of inputs. Some tools simply take a context while others query the active file_contexts file on the system. Some are able to look at the package data of the distribution they are using to get a list of files to be relabeled. Not included in this list is the init script or systemd unit file used on some systems to relabel a filesystem automatically at boot time when necessary.
| Tool name | Description | Package |
| chcon | change the context or part of a context on a file | coreutils |
| chcat | change the categories on a file, or the authorized categories for a user | selinux-python (upstream) or policycoreutils-python-utils (Fedora) |
| fixfiles | fix file labels based on active policy file_contexts files | policycoreutils |
| rlpkg | relabel files based on gentoo package (gentoo specific) | gentoo |
| restorecon | restore files to the contexts specified by the file_contexts files | policycoreutils |
| restorecond | daemon that watches for new files to be created and labels them at runtime | restorecond (upstream) or policycoreutils-restorecond (Fedora) |
| setfiles | relabel files based on file_contexts configuration or verify file_contexts validity against binary policy | policycoreutils |
Runtime tools are used at runtime on end-systems to change or view the running behavior of SELinux. Some might not be installed on end-systems such as setroubleshootd (only needed if end users need notifications of and help with policy denials), system-config-selinux (only needed if a GUI is required to manage SELinux), and mctransd (only needed on systems requiring MCS/MLS human-readable label translation configurations). These three tools should be omitted from systems that do not require them.
| Tool name | Description | Package |
| avcstat | give statistics about the in-kernel access vector cache, such as number of lookups, hits and misses | libselinux-utils |
| genhomedircon | generate user home directory file contexts based on template file contexts (HOMEDIR, HOMEROOT, etc) | policycoreutils |
| getenforce | get the enforcing state of the kernel access vector cache | libselinux-utils |
| getsebool | get the current state of an SELinux boolean in the SELinux security server | libselinux-utils |
| load_policy | load the active kernel policy | policycoreutils |
| mcstransd | daemon that provides translations for levels and categories | mcstrans |
| newrole | change your role, type or level, requires re-authentication, suitable for use by user domains | policycoreutils |
| runcon | run a command with a specified SELinux context, does not re-authenticate, suitable for use in scripts to run a service in a different domain | coreutils |
| secon | display the full context or its components for a specified object (file, process, key) | policycoreutils |
| sefcontext_compile | compile file contexts configurations to a binary version for faster lookup | libselinux-utils |
| selinuxenabled | Check whether SELinux is currently enabled | libselinux-utils |
| semanage | manage several aspects of SELinux including port, interface and node labeling, persistent file context and boolean settings, authorized roles and levels for SELinux users, authorized SELinux users and levels for seusers (login or Linux users), MLS translations and permissive types | selinux-python (upstream) or policycoreutils-python-utils (Fedora) |
| semodule | insert, delete and list SELinux policy modules on the running system | policycoreutils |
| sestatus | get several pieces of information about the running state of SELinux including enabled status, enforcing/permissive, policy name and contexts of various important processes and files | policycoreutils |
| setenforce | set the enforcing state of the kernel access vector cache | libselinux-utils |
| setroubleshoot | a daemon that watches for denials and offers suggestions on fixing them (has multiple frontends including a gnome tray interface) | setroubleshoot-server (Fedora) |
| setsebool | set one or more SELinux booleans | policycoreutils |
| system-config-selinux | GUI for managing SELinux | selinux-gui (upstream) or policycoreutils-gui (Fedora) |