Tresys Technology, a network services company, has published a set of open source GUI tools for SELinux policy management. Most releases of SELinux include at least one of the Tresys tools, which are:
Apol
Supports analysis of the SELinux policy.conf file.
Seaudit
Supports searching, sorting, and viewing AVC log messages.
Sepcut
Supports browsing and editing of SELinux policy components.
Seuserx
Supports adding, changing, and removing Linux and SELinux users.
The following subsections briefly describe these tools. My intention is not to show you how to use the tools but to help you understand what they do, so that you can decide when to use them and which tool to use. Because the tools are regularly improved, I advise you to refer to the tools' help files for information on operating them. If your SELinux release does not include the Tresys tools, you can obtain them at http://www.tresys.com/.
The Apol tool enables you to analyze an SELinux policy. It does not work with the component files that compose the policy, but only with policy.conf. So you should compile the SELinux policy before using Apol. You can do so by issuing the command:
make load
from within the SELinux src/policy directory. Figure 9-1 shows Apol's main window after using its File menu to open the policy.conf file.
Apol's main window contains four primary tabs:
Policy Components
Supports searching and viewing policy components: types, type attributes, type aliases, object classes, object permissions, roles, users, initial SIDs, and SElinux Booleans.
Policy Rules
Supports working with policy rules: allow , neverallow , auditallow , dontaudit , type_transition , and type_change declarations.
Analysis
Supports several analysis operations, including forward and reverse domain transition analyses, direct information flow analysis, and indirect (transitive) information flow analysis.
policy.conf
Enables you to view the policy.conf file.
The following subsections describe the operations associated with Apol's first three tabs. You can learn more about Apol by studying its help file, available via the Help menu.
As shown in Figure 9-1, the Policy Components tab contains six secondary tabs related to the policy component types:
Types
Lets you search types, type attributes, and aliases by specifying a regular expression. Double-clicking a type, attribute, or alias provides a summary description. The Search Results window displays policy.conf lines related to types and attributes having names matching the regular expression.
Classes/Perms
Lets you search object classes, common permissions, and permissions by specifying a regular expression. The Search Results window displays policy.conf lines related to object classes having names matching the regular expression. Double-clicking a class, common permission, or permission provides a summary description. Figure 9-2 shows a sample query and its result.
Roles
Lets you search roles and their attributes by specifying regular expressions for role or type. The tab makes it simple to identify all roles that include a specified type. Double-clicking a role provides a summary description. Figure 9-3 shows the result of a query requesting all roles.
Users
Lets you search SELinux user identities and their associated roles. Figure 9-4 shows the result of a query requesting all users.
Initial SIDs
Lets you search initial SIDs and their associated security contexts. Figure 9-5 shows the result of a query requesting all initial SIDs.
Booleans
Lets you search SELinux Booleans. Figure 9-6 shows the result of a query requesting all Booleans.
Figure 9-7 shows Apol's Policy Rules tab, which contains three secondary tabs:
TE Rules
This tab lets you search type-enforcement rules. The tab supports several search criteria:
Rule Selection
Lets you narrow the scope of a search to include only specified rules.
Type/Attributes
Lets you search by types and type attributes used as source, target, or default types in rules.
Classes/Permissions
Lets you search by object classes and permissions, returning only rules that reference the specified classes and permissions.
The results window displays all rules matching the specified search criteria. Each displayed rule includes a hyperlink that points to the rule's place in the policy.conf file.
RBAC Rules
Figure 9-8 shows the RBAC tab, which lets you search role-based access control rules in much the same way as the TE tab lets you search type enforcement rules.
Conditional Expressions
Figure 9-9 shows the Conditional Expressions tab, which lets you search conditional expressions for the following rule types:
audit rules
allow rules
transition rules
You can search by specifying a regular expression that matches the name of a Boolean appearing within a conditional expression. Each rule displayed in the results window include a hyperlink that points to the rule's location within the policy.conf file.
The Analysis tab is perhaps the most interesting and useful of Apol's tabs. It enables you to perform three types of analysis:
Domain transition analysis
We generally think of a domain transition as a single step involving two domains: the source (beginning) domain and the target (ending) domain. But suppose your SELinux policy permits domain A to transition to domain B and also permits domain B to transition to domain C. There's no single-step path between domains A and C. Nevertheless, by executing two transitions a process can move from domain A to domain C.
A forward domain analysis shows the domains that can be reached in one or more transition steps from a given domain. To perform a forward domain transition analysis, you first specify a source domain. Apol then presents a tree identifying the target domains that can be reached directly from the specified source domain. Using a mouse or other pointing device, you can walk the tree, inspecting the rules that authorize each transition. Figure 9-10 shows the result of a simple forward domain analysis.
A reverse domain analysis simply goes in the opposite direction. You specify a target domain, and Apol identifies the source domains that can reach the specified source domain in one or more transition steps.
Direct information flow analysis
Direct information flow analysis generalizes the domain analysis operation in two respects. First, it lets you specify the direction of the relationship between domains as IN, OUT, EITHER, or BOTH. Second, the relationship extends beyond domain transitions to include information flows. Roughly speaking, an information flow exists between two domains if one member of the pair can read or write objects having the type of the other member of the pair. For a more precise explanation of information flows, see the white paper titled An Overview of Information Flow Analysis, available on the Tresys web site.
Indirect (transitive) information flow analysis
Indirect information flow analysis generalizes direct information flow analysis by showing relationships along indirect paths between pairs of domains. For instance, suppose that no information flow exists between domains A and C. If an information flow exists between domains A and B, and another exists between domains B and C, an indirect information flow may exist between domains A and C. Informally, indirect information flow analysis shows which domains interact with other domains. See the Apol help file for more information on indirect information flow analysis.
Figure 9-11 shows the main window of Seaudit, a GUI tool for viewing AVC messages within system logs. Seaudit can display results in real or nonreal time. Menu items let you specify the columns to be displayed, and search buttons let you construct, save, and run queries that select only a subset of log messages. You can also query the SELinux policy based on information contained within a log entry.
Sepcut helps you browse and edit policy component files. Figure 9-12 shows Sepcut's main window. The window includes three main tabs:
Browse Policy
Lets you view and modify policy component files.
Policy Modules
Lets you view or edit policy modules and individually enable or disable them. The term policy module refers to a pair of files consisting of an FC file and a TE file.
Test Policy
Lets you compile and load a policy.
Seuserx lets you add, change, and delete Linux and SELinux users. Its main window, shown in Figure 9-13, includes five buttons, as well as an Exit button:
Add
View/Change
Lets you view and change user characteristics.
Delete
Advanced
Lets you configure characteristics of generic usersusers who don't have specific SELinux identities and are therefore associated with the user_u SELinux identity.
Update Policy
When you exit Suserx, it automatically loads a new security policy reflecting any changes you've made. However, you can use the Update Policy button to manually load a new policy whenever you like