Flylib.com

Books Software

 
 
 

Category list


Similar pages

Section D.2. SETools Suite


Buy on amazon.com >>
Mayer F. MacMillan K. Caplan D.
    << Previous page
    Table of contents
    Next page >>

    D.2. SETools Suite

    Tresys Technology has a long standing suite of tools for analyzing and debugging SELinux policies. These tools are open source and are usually included in any Linux distribution that supports SELinux. The latest version of the tool suite and its source code is available from www.tresys.com/selinux.

    All the source packages contain help files explaining how to use the tools and their features. All the tools are based on common policy library, libapol , also included in the setools package.

    apol

    This is the SELinux policy analysis tool we use throughout this book. It accepts either a policy.conf file or a compiled binary policy file. It is able to parse almost all versions of SELinux policy. Apol allows complicated rule searches and has several powerful automated analysis modules that perform such things as information flow and domain transition analyses.

    sediff

    A utility to semantically compare two policies. It can compare source policies, binary policies, or a combination of both. It can be run from the command line or with a GUI front end. (Both sediffx or sediff -X bring up the GUI.)

    seaudit

    A tool to browse and analyze SELinux audit messages. The tool will operate directly on the target system in real time or it can be used to analyze off-loaded log files. It not only has extended filtering capabilities, but it also provides an analysis tie-in with the policy that was on the source system. It can save filter configurations or views and can generate both text and HTML reports .

    seaudit-report

    A command-line tool that processes audit logs and generates reports in HTML and plain text. The reports are based on seaudit views (that is, saved filter specifications).

    sechecker

    A command-line tool that performs various quality checks on a policy file (binary or source). It includes a template for generating custom checks. The goal is to provide a tool that can examine an SELinux policy for common problems and weaknesses.

    secmds

    A collection of command-line tools that examine various information on an SELinux policy. The collection includes the following:


     

    seinfo

    Provides general information about a given policy file (source or binary).

     

    sesearch

    Performs apol -like rule searches on a given binary or source policy.


    findcon

    A command to search for files and directories with a specific security context. The search can be limited to a specific object class.

    replcon

    A command similar to findcon , but with the added feature of allowing a partial or whole replacement of the security context.

    indexcon

    Generates a database file of all of the labels of files and directories on the system, or, if specified, a directory. The database file can be used with the file contexts analysis function of apol or searchcon .

    searchcon

    Searches through a file context database generated by indexcon using user specified criteria.




    D.3. Other SELinux Tools

    A number of other tools are being developed by various organizations. These tools are available as open source projects. They are in various levels of development and primarily aimed at aiding in the development or generation of SELinux policy.

    Polgen/Slat

    (www.mitre.org/tech/selinux/) Tools developed by the MITRE Corporation. Polgen can be used to automatically generate policy. Slat performs information flow analysis between types.

    SLIDE

    ( http:// sourceforge .net/projects/selinux-ide ) A new open source project by Tresys Technology to develop an integrated development environment (IDE) that covers all aspects of SELinux policy development. The goal is to provide a single environment to develop, modify, analyze, and test SELinux policies.

    Virgil

    ( http://sourceforge.net/projects/sepolicy-virgil A policy generation tool developed by IBM. It is a utility that generates SELinux policy automatically through a GUI. It is designed to provide a quick and easy policy for services where there is not yet a developed policy.

    seedit

    ( http://sourceforge.net/projects/seedit ) A policy editor originally developed by Hitachi Software. It provides a Web-based GUI for generating new policy statements. It attempts to ease the development of policy by generalizing some of the policy details and providing a point-and-click interface.




    Buy on amazon.com >>
    Mayer F. MacMillan K. Caplan D.
      << Previous page
      Table of contents
      Next page >>

      Similar products

      Similar products

       
      flylib.com © Copyright 2008-2013. All Rights Reserved.
      if you may any questions please contact us: flylib@qtcs.net
      Privacy policy