Section 10.7. Exploring Object Labeling with Apol

10.7. Exploring Object Labeling with Apol

Apol currently has two primary features for understanding object labeling: rule searching and file security context indexing and searching. We have explored rule searching in Chapters 5 and 6. Figure 10-1 shows the File Contexts tab of apol, which is used to create and search indexes of the security contexts for file-related objects. This allows us to examine how the file-related objects on a system are actually labeled as opposed to examining the file contexts specifications, which show how the file-related objects should be labeled. When trying to understand how a policy will be enforced on a particular system, information about how file-related objects are actually labeled is essential.

Figure 10-1. File context indexing and searching

A file contexts index is a snapshot of the security contexts of all of the file-related objects on a system. This index can be created from apol, using the Create and Load button, or with the indexcon command (included in the Setools package). Both tools recursively walk all mounted filesystems, recording the name, object class, and security context of all file-related objects. After the index is created (the data is stored in a file), it can be searched using apol or the searchcon command (also in Setools). The index is stored so that it can be searched efficiently, unlike searching the actual filesystem. For example, Figure 10-1 shows the result of searching for all file-related objects with the type user_home_t. Searching the file context index to find all files with this type was fast, whereas searching the filesystem would have taken several minutes. In addition, searching the file context index can be done on a different system than the one on which it was created.

Searches can be performed on any combination of name, user, object class, or type. Searching based on role is not supported because all file-related objects will normally have the special object_r role.