9.10 Policy Management Tools
Tresys Technology, a network services
company, has published a set of open source GUI tools for SELinux
policy management. Most releases of SELinux include at least one of
the Tresys tools, which are:Apol
Supports analysis of the SELinux policy.conf
file.
Seaudit
Supports
searching, sorting, and viewing AVC log messages.
Sepcut
Supports
browsing and editing of SELinux policy components.
Seuserx
Supports
adding, changing, and removing Linux and SELinux users.
The following subsections briefly describe these tools. My intention
is not to show you how to use the tools but to
help you understand what they do, so that you can decide
when to use them and which
tool to use. Because the tools are regularly improved, I advise you
to refer to the tools' help files for information on
operating them. If your SELinux release does not include the Tresys
tools, you can obtain them at http://www.tresys.com/.
9.10.1 Apol
The
Apol tool enables you to analyze an SELinux
policy. It does not work with the component files that compose the
policy, but only with policy.conf. So you should
compile the SELinux policy before using Apol. You can do so by
issuing the command:
make loadfrom within the SELinux src/policy directory.
Figure 9-1 shows Apol's main
window after using its File menu to open the
policy.conf file.
Figure 9-1. Apol's main window

Supports searching and viewing policy
components: types, type attributes, type aliases, object classes,
object permissions, roles, users, initial SIDs, and SElinux Booleans.
Policy Rules
Supports working with policy rules:
allow
, neverallow
,
auditallow
, dontaudit
,
type_transition
, and
type_change
declarations.
Analysis
Supports several analysis operations,
including forward and reverse domain transition analyses, direct
information flow analysis, and indirect (transitive) information flow
analysis.
policy.conf
Enables you to view the
policy.conf file.
The following subsections describe the operations associated with
Apol's first three tabs. You can learn more about
Apol by studying its help file, available via the Help menu.
9.10.1.1 Policy components
As shown in Figure 9-1, the
Policy Components tab contains six
secondary tabs related to the policy component types:Types
Lets
you search types, type attributes, and aliases by specifying a
regular expression. Double-clicking a type, attribute, or alias
provides a summary description. The Search Results window displays
policy.conf lines related to types and
attributes having names matching the regular expression.
Classes/Perms
Lets you search object classes, common
permissions, and permissions by specifying a regular expression. The
Search Results window displays policy.conf lines
related to object classes having names matching the regular
expression. Double-clicking a class, common permission, or permission
provides a summary description. Figure 9-2 shows a
sample query and its result.
Roles
Lets
you search roles and their attributes by specifying regular
expressions for role or type. The tab makes it simple to identify all
roles that include a specified type. Double-clicking a role provides
a summary description. Figure 9-3 shows the result
of a query requesting all roles.
Users
Lets
you search SELinux user identities and their associated roles. Figure 9-4 shows the result of a query requesting all
users.
Initial SIDs
Lets you search initial SIDs and their
associated security contexts. Figure 9-5 shows the
result of a query requesting all initial SIDs.
Booleans
Lets you search SELinux Booleans. Figure 9-6 shows the result of a query requesting all
Booleans.
Figure 9-2. Apol's Classes/Perms tab

Figure 9-3. Apol's Roles tab

Figure 9-4. Apol's Users tab

Figure 9-5. Apol's Initial SIDs tab

Figure 9-6. Apol's Booleans tab

Figure 9-7. Apol's Policy Rules tab

9.10.1.2 Policy rules
Figure 9-7 shows Apol's
Policy Rules tab, which contains three
secondary tabs:TE Rules
This tab lets you search
type-enforcement rules. The tab supports several search criteria:
Rule Selection
Lets you narrow the scope of a search to include only specified rules.
Type/Attributes
Lets you search by types and type attributes used as source, target,
or default types in rules.
Classes/Permissions
Lets you search by object classes and permissions, returning only
rules that reference the specified classes and permissions.
The results window displays all rules matching the specified search
criteria. Each displayed rule includes a hyperlink that points to the
rule's place in the policy.conf
file.RBAC Rules
Figure 9-8 shows the
RBAC tab, which lets you search role-based access control rules in
much the same way as the TE tab lets you search type enforcement
rules.
Conditional Expressions
Figure 9-9 shows the
Conditional Expressions tab, which lets you search conditional
expressions for the following rule types:
audit
rulesallow
rulestransition
rules
You can search by specifying a regular expression that matches the
name of a Boolean appearing within a conditional expression. Each
rule displayed in the results window include a hyperlink that points
to the rule's location within the
policy.conf file.
Figure 9-8. Apol's RBAC Rules tab

Figure 9-9. Apol's Conditional Expressions tab

9.10.1.3 Analysis
The Analysis tab is perhaps the most
interesting and useful of Apol's tabs. It enables
you to perform three types of analysis:Domain transition analysis
We generally think of a domain
transition as a single step involving two domains: the source
(beginning) domain and the target (ending) domain. But suppose your
SELinux policy permits domain A to transition to domain B and also
permits domain B to transition to domain C. There's
no single-step path between domains A and C. Nevertheless, by
executing two transitions a process can move from domain A to domain
C.A forward domain analysis shows the
domains that can be reached in one or more transition steps from a
given domain. To perform a forward domain transition analysis, you
first specify a source domain. Apol then presents a tree identifying
the target domains that can be reached directly from the specified
source domain. Using a mouse or other pointing device, you can walk
the tree, inspecting the rules that authorize each transition. Figure 9-10 shows the result of a simple forward domain
analysis.
Figure 9-10. A forward domain analysis

the opposite direction. You specify a target domain, and Apol
identifies the source domains that can reach the specified source
domain in one or more transition steps.Direct information flow analysis
Direct information flow analysis
generalizes the domain analysis operation in two respects. First, it
lets you specify the direction of the relationship between domains as
IN, OUT, EITHER, or BOTH. Second, the relationship extends beyond
domain transitions to include information flows. Roughly speaking, an
information flow exists between two domains if one member of the pair
can read or write objects having the type of the other member of the
pair. For a more precise explanation of information flows, see the
white paper titled An Overview of Information Flow
Analysis, available on the Tresys web site.
Indirect (transitive) information flow analysis
Indirect information
flow analysis generalizes direct information flow analysis by showing
relationships along indirect paths between pairs of domains. For
instance, suppose that no information flow exists between domains A
and C. If an information flow exists between domains A and B, and
another exists between domains B and C, an indirect information flow
may exist between domains A and C. Informally, indirect information
flow analysis shows which domains interact with other domains. See
the Apol help file for more information on indirect information
flow
analysis.
9.10.2 Seaudit
Figure 9-11
shows the main
window of Seaudit, a GUI tool for viewing AVC messages within system
logs. Seaudit can display results in real or nonreal time. Menu items
let you specify the columns to be displayed, and search buttons let
you construct, save, and run queries that select only a subset of log
messages. You can also query the SELinux policy based on information
contained within a log entry.
Figure 9-11. The Seaudit main window

9.10.3 Sepcut
Sepcut
helps you browse
and edit policy component files. Figure 9-12 shows
Sepcut's main window. The window includes three main
tabs:
Figure 9-12. Sepcut's main window

Lets you view and modify policy
component files.
Policy Modules
Lets you view or edit policy modules and
individually enable or disable them. The term policy
module refers to a pair of files consisting of an FC file
and a TE file.
Test Policy
Lets you compile and load a policy.
9.10.4 Seuserx
Seuserx lets you add, change, and delete
Linux and SELinux users. Its main window, shown in Figure 9-13, includes five buttons, as well as an Exit
button:
Figure 9-13. Seuserx's main window

Lets you add a new user.
View/Change
Lets you view and change user
characteristics.
Delete
Lets you delete a user.
Advanced
Lets you configure characteristics of
generic usersusers who don't have specific
SELinux identities and are therefore associated with the
user_u
SELinux identity.
Update Policy
When you exit Suserx, it automatically
loads a new security policy reflecting any changes
you've made. However, you can use the Update Policy
button to manually load a new policy whenever you like