Section 6.4. Exploring Roles and Users with Apol

6.4. Exploring Roles and Users with Apol

Apol has features for searching and displaying roles and users. The Roles tab on the Policy Components tab, shown in Figure 6-2, displays all the roles and provides searching functions. In this example, we search for roles associated with the type user_ssh_t. The search results show that the role user_r is associated with this type. Because we have chosen to show all information about the roles in the search results, all the types associated with the matching roles are shown. As previously discussed, it is common for role declaration statements, which associate roles and types, to be distributed throughout the policy source. This feature of apol makes it easy to find the relationships between roles and type.

Figure 6-2. Apol displaying the types associated with the role user_r

The Users tab of the Policy Components tab offers similar features for users. Figure 6-3 shows all the SELinux users in this policy and the associated roles. Searching for SELinux users by associated roles is also possible.

Figure 6-3. Apol displaying all the SELinux users and the associated roles

In addition to displaying roles and users, apol enables us to search for role allow and transition rules. This feature, which is located on the RBAC Rules tab of the Policy Rules tab, is similar to TE rule searching feature. Figure 6-4 shows a search for all the role allow and transition rules that have the role sysadm_r in the source field.

Figure 6-4. Apol displaying all the role allow and transition rules with the role sysadm_r as the source