Section D.2. SETools Suite | SELinux by Example: Using Security Enhanced Linux

D.2. SETools Suite

Tresys Technology has a long standing suite of tools for analyzing and debugging SELinux policies. These tools are open source and are usually included in any Linux distribution that supports SELinux. The latest version of the tool suite and its source code is available from www.tresys.com/selinux.

All the source packages contain help files explaining how to use the tools and their features. All the tools are based on common policy library, libapol, also included in the setools package.

apol	This is the SELinux policy analysis tool we use throughout this book. It accepts either a `policy.conf` file or a compiled binary policy file. It is able to parse almost all versions of SELinux policy. `Apol` allows complicated rule searches and has several powerful automated analysis modules that perform such things as information flow and domain transition analyses.
sediff	A utility to semantically compare two policies. It can compare source policies, binary policies, or a combination of both. It can be run from the command line or with a GUI front end. (Both `sediffx` or `sediff -X` bring up the GUI.)
seaudit	A tool to browse and analyze SELinux audit messages. The tool will operate directly on the target system in real time or it can be used to analyze off-loaded log files. It not only has extended filtering capabilities, but it also provides an analysis tie-in with the policy that was on the source system. It can save filter configurations or views and can generate both text and HTML reports.
seaudit-report	A command-line tool that processes audit logs and generates reports in HTML and plain text. The reports are based on `seaudit` views (that is, saved filter specifications).
sechecker	A command-line tool that performs various quality checks on a policy file (binary or source). It includes a template for generating custom checks. The goal is to provide a tool that can examine an SELinux policy for common problems and weaknesses.
secmds	A collection of command-line tools that examine various information on an SELinux policy. The collection includes the following:

	`seinfo`	Provides general information about a given policy file (source or binary).
	`sesearch`	Performs `apol`-like rule searches on a given binary or source policy.

`findcon`	A command to search for files and directories with a specific security context. The search can be limited to a specific object class.
`replcon`	A command similar to `findcon`, but with the added feature of allowing a partial or whole replacement of the security context.
`indexcon`	Generates a database file of all of the labels of files and directories on the system, or, if specified, a directory. The database file can be used with the file contexts analysis function of `apol` or `searchcon`.
`searchcon`	Searches through a file context database generated by `indexcon` using user specified criteria.