Section 5.5. Exploring Type Enforcement Rules with Apol

5.5. Exploring Type Enforcement Rules with Apol

We have already seen that examining a policy to understand all the type enforcement declarations and rules is difficult. Determining all the types that are part of an attribute, for example, requires examining all the type and typeattribute statements in a policy. In a large policy, that could be thousands of statements spread across dozens of files. This is a daunting task. Automating this kind of policy analysis was one of the primary motivations for creating the policy analysis and debug tool apol. Let's examine some of the ways we can use apol to explore a type enforcement policy.

When we first start apol and load a policy, as you can see in Figure 5-2, the Policy Component tab is visible with the Types tab selected. All the types and attributes are listed on the left and a search window is on the right. Selecting a type and clicking Show Type Info brings up a window that shows all the attributes and aliases for that type. Similarly, selecting an attribute and clicking Show Attribute Info brings up a window that shows all the types that are part of that attribute. Figure 5-3 shows the detailed information about the domain attribute for this policy. This is one of the simplest but most valuable functions of apol.

Figure 5-2. Examining types and attributes using apol

In addition to showing information about types and attributes, apol enables us to search for types or attributes using regular expressions. Figure 5-4 shows a search for all types that contain the substring httpd_ with the attributes and aliases for those types displayed.

Figure 5-4. A regular expression search for types

Apol also enables us to search for policy rules, including searching for rules that indirectly include types via attributes. The rule searching functionality of apol is powerful, but we want to mention only some of that power here. Figure 5-5 shows a rule search for allow rules that contain shadow_t as the target type. Notice that the "Include indirect matches" button is selected, which means that rules that reference shadow_t indirectly through an attribute are included. Manually searching for rules and resolving attributes is an almost impossible task.

Figure 5-5. A rule search for allow rules with shadow_t as the target type

Apol is a valuable tool to use as you read through this book and try to understand an SELinux policy. It enables you to explore the content of a policy, perform sophisticated searches, and browse policy components such as types and object classes. In particular, you will find the TE Rules under the Policy Rules tab to be extremely valuable to answer the ubiquitous question, "What's going on with this type?" As you get familiar with the tool and with SELinux policy, you should explore the tools under the Analysis tab. These tools perform complex analyses of the policy.