Chapter 6. Tools for Manipulating and Analyzing SELinux

An administrator's job may include analyzing and possibly manipulating the SELinux policy, as well as doing performance analysis and tuning. This chapter discusses analysis and tuning.

For policy manipulation, you may wish to support a new daemon or discover and fix a problem, as discussed in Chapter 8 Customizing and Writing Policy. One early step to writing policy is analyzing existing policy so that you understand how it works. One example of this is given in Section 2.9.1 How To Backtrack a Rule, where a macro is analyzed through the process of backtracking to the source of a set of rules.

While some effective policy analysis can be done using standard command line text manipulation tools, sophisticated policy analysis requires stronger tools. The simpler targeted policy consists of more than 20,000 concatenated lines in policy.conf, which is derived from more than 150 macros and thousands of lines of TE rules and file context settings, all interacting in very complex ways. Tools such as apol are designed specifically for doing analysis of SELinux policy. This chapter discusses these tools, which are part of the setools package. In addition to the GUI analysis tools seaudit and apol, several command line tools that are useful for gathering information and statistics are explained.

Analysis is also necessary when doing performance tuning. Due to the real and potential workload imposed by the AVC system, you may have some situations where being able to manipulate how this works is useful to improving performance. This chapter presents some methods to tune your SELinux installation.

In order to use these applications, you need both the setools and setools-gui packages installed. The other packages you need come with the SELinux installation: libselinux and policycoreutils.

TipTip
 

When you are running a privileged application over ssh, meaning an application that requires you to have root privileges, you must use the -Y option. This option enables trusted X11 forwarding:

ssh -Y root@host.example.com

The configuration requiring this is enabled by default and is new to Red Hat Enterprise Linux 4.

6.1. Information Gathering Tools

These tools are command line tools, providing formatted output. They are harder to use as part of command line piping, but they provide gathered and well formatted information quickly.

avcstat

This provides a short output of the access vector cache statistics since boot. You can watch the statistics in real time by specifying a time interval in seconds. This provides updated statistics since the initial output. The statistics file used is /selinux/avc/cache_stats, and you can specify a different cache file with the -f /path/to/file. For example, this might be useful for reviewing saved snapshots of /selinux/avc/cache_stats.

avcstat
   lookups       hits   misses    allocs    reclaims    frees
 194658175  194645272    12903     12903         880    12402

# This shows one second intervals:

avcstat 1
   lookups       hits    misses    allocs   reclaims    frees
 194670327  194657424     12903     12903        880    12402
       493        493         0         0          0        0
       370        370         0         0          0        0
       390        390         0         0          0        0
       366        366         0         0          0        0
       364        364         0         0          0        0

# With these five second intervals, you see the accumulation
# of lookups and hits over the course of the interval.

avcstat 5
   lookups       hits    misses    allocs   reclaims    frees
 194683017  194670114     12903     12903        880    12402
      1966       1966         0         0          0        0
      1824       1824         0         0          0        0

The lookups field shows the workload of the AVC. It is not uncommon to have the number of hits be smaller than the number of lookups.

Section 6.4 Performance Tuning discusses how to use avcstat for performance tuning.

seinfo

This utility is useful in describing the break down of a policy, such as the number of classes, types, Booleans, allow rules, and so forth. Similar in function to some aspects of apol, seinfo is a quick command line utility that takes policy.conf or a binary policy file as input.

The results are going to be different between binary and source files. For example, the policy source file uses the { } brackets to group multiple rule elements onto a single line. A similar effect happens with attributes, where a single attribute expands into one or many types. Because these are expanded and no longer relevant in the binary policy file, they have a return value of zero in the search results. However, the number of rules greatly increases as each formerly one line rule using brackets is now a number of individual lines.

Some items are not present in the binary policy. For example, neverallow rules are only checked during policy compile, not during runtime, and initial SIDs are not part of the binary policy since they are required prior to the policy being loaded by the kernel during boot.

seinfo $SELINUX_SRC/policy.conf

Statistics for policy file: $SELINUX_SRC/policy.conf
Policy Version: v.18
Policy Type: source

   Classes:           53    Permissions:      192
   Types:            317    Attributes:        81
   Users:              3    Roles:              4
   Booleans:          20    Cond. Expr.:       21
   Allow:           2292    Neverallow:         7
   Auditallow:         2    Dontaudit:        225
   Type_trans:        99    Type_change:        0
   Role allow:         5    Role trans:         0
   Initial SIDs:      27

seinfo $SELINUX_POLICY/policy.18

Statistics for policy file: $SELINUX_POLICY/policy.18
Policy Version: v.18
Policy Type: binary

   Classes:           53    Permissions:      192
   Types:            316    Attributes:         0
   Users:              3    Roles:              4
   Booleans:          20    Cond. Expr.:       21
   Allow:          11134    Neverallow:         0
   Auditallow:         2    Dontaudit:        569
   Type_trans:       157    Type_change:        0
   Role allow:         5    Role trans:         0
   Initial SIDs:       0
sesearch

Similar to the way that seinfo provides light information gathering functionality from apol on the command line, sesearch lets you search for a particular type in the policy. Policy source or binary can be used.

sesearch -a -t httpd_sys_content_t $SELINUX_POLICY/policy.conf   

5 Rules match your search criteria
allow  httpd_suexec_t { httpd_sys_content_t \
  httpd_sys_script_ro_t httpd_sys_script_rw_t \
  httpd_sys_script_exec_t } : dir  { getattr search };
allow  httpd_sys_script_t  httpd_sys_content_t : dir  \
  { getattr search };
allow  httpd_t  httpd_sys_content_t : dir  { read getattr \
  lock search ioctl };
allow  httpd_t  httpd_sys_content_t : file  { read getattr \
  lock ioctl };
allow  httpd_t  httpd_sys_content_t : lnk_file  { getattr \
  read };

# This same search, when performed on the binary policy file, 
# generates 38 matching rules.

There are command line options to sesearch to control various factors of the search:

OptionBehavior
-s, --source <NAME> Search for rules that have the search expression as a source; <NAME> is a regular expression.
-t, --target <NAME> Search for rules that have <NAME> as a target.
-c, --class <NAME> Search for rules that have <NAME> as the object class.
-p, --perms <P1[,P2...]> Search for one or more specific permissions.
--allow Search for only allow rules.
--neverallow Search for only neverallow rules.
--audit Search for only dontaudit and auditallow rules.
--type Search for only type transition (type_trans) and type change (type_change) rules.
-i, --indirect Do an indirect search, which looks for rules deriving from a type's attribute.
-n, --noregex Do not use regular expression matching for types and attributes searched for.
-a, --all Show all rules. You must specify one of the rule types in your search terms: -a, --allow, --audit, --neverallow, or --type.
-l, --lineno In the search results, specify the line number in policy.conf. This option is ignored when you search a binary policy.

Table 6-1. Options for sesearch