Notes on SElinux: tools

There are a number of tools, both command line and graphical, that allow analysis, configuration, and changes to the running SElinux policy. I will summarise some of the most useful ones here. For further and more complete information, most have a man page. Many of these tools require appropriate privileges for accessing the SElinux configuration, policies and internals (e.g. usually root).

  • sestatus A command line tool that shows the current status of SElinux on the system. For example, is SElinux in enforcing mode, what is the policy and version etc.. It has a configuration file /etc/sestatus.conf that allows certain files and processes to be specified so that when sestatus is called with the -v option, it shows the SElinux contexts of those files and processes.
  • seinfo A command line tool that allows querying of the current active policy (or a specified one if given as an argument). For example, if I want to see all the object classes in the current/active policy I could use the command:
    #seinfo --classes file fifo_file ...
    (remember an object class groups the permissions a process can be granted for this type of object - see the introductory notes). This command can show a number of useful things. Statistics on numbers of classes, types, user identities, permissions, etc. can be printed with the --stats option.
  • setenforce A command line tool to switch between the SElinux enforcing and permissive modes. In enforcing mode (argument is 1) SElinux prevents and logs any and all requests that are not allowed by rules in the current active policy. In permissive mode (argument 0), all requests are allowed and those that should be denied are simply logged.
  • semanage A general tool that allows certain parts of the SElinux configuration and policy to be altered on the fly. Examples include; altering a users SElinux login identity, altering a type's access to network ports, re-labelling parts of the file system with file contexts.
  • semodule A command line tool for managing policy modules. If run with the argument -l it will list all the modules and their versions that make up the current active policy:
    #semodule -l evolution 1.1.0 mozilla 1.1.0 mplayer 1.1.0 ...
    This tool also has options to install new modules (-i) and remove modules (-r).
  • restorecon A command line tool to "restore" the default SELinux security contexts for objects given as arguments (files, directories etc.). At first glance this may not appear like a very useful tool, but it is. A policy contains information on how the files in the file system are labelled. The directory /etc/selinux/targeted/contexts/files in fedora contains files that show how the current policy labels the entire filesystem with contexts (these files are in the same format as .fc files used in module definitions). When we install or remove module/base policies it may be necessary to relabel the relevant parts of the filesystem to the new default. This can be done with restorecon. With the -R argument, it will relabel recursively down sub-directories. By default this command relabels given files and directories, however, with the -n argument, it can be used to simply verify the current labelling and report conflicts/errors.
  • chcon A command line tool in the genre of chmod, chown etc. It changes the security context of a particular file or files. With arguments it can selectively change the SElinux user, role or type (arguments -u, -r, -t respectively). With the -R argument, it will relabel recursively down sub-directories. For example,
    #chcon -R -t httpd_sys_content_t /var/html
    will label the context type to httpd_sys_content_t for the directory /var/html and all sub-files and sub-directories.
  • setroubleshoot A server and graphical frontend written in python to watch real-time AVC violations. The server setroubleshootd can be started at boot time and monitors the audit logs for AVC denials. When denials occur, they are flagged to the user using the panel notification area (in gnome). The graphical frontend provides a expansion of the AVC errors with some general rule of thumb stock solutions. This is a very useful tool for final debugging. For more information see the wiki.
  • apol A graphical tool that allows a comprehensive analysis of a given policy. The policy to analyse can be either given on the command line with the --policy option or loaded through the GUI. apol may also be started from the fedora/gnome panel "System→Administration→SELinux Policy Analysis".