9.10 Policy Management Tools | Selinux: NSAs Open Source Security Enhanced Linux

Tresys Technology, a network services company, has published a set of open source GUI tools for SELinux policy management. Most releases of SELinux include at least one of the Tresys tools, which are:

Apol: Supports analysis of the SELinux policy.conf file.
Seaudit: Supports searching, sorting, and viewing AVC log messages.
Sepcut: Supports browsing and editing of SELinux policy components .
Seuserx: Supports adding, changing, and removing Linux and SELinux users.

The following subsections briefly describe these tools. My intention is not to show you how to use the tools but to help you understand what they do, so that you can decide when to use them and which tool to use. Because the tools are regularly improved, I advise you to refer to the tools' help files for information on operating them. If your SELinux release does not include the Tresys tools, you can obtain them at http://www.tresys.com/.

9.10.1 Apol

The Apol tool enables you to analyze an SELinux policy. It does not work with the component files that compose the policy, but only with policy.conf . So you should compile the SELinux policy before using Apol. You can do so by issuing the command:

 make load

from within the SELinux src/policy directory. Figure 9-1 shows Apol's main window after using its File menu to open the policy.conf file.

Figure 9-1. Apol's main window

Apol's main window contains four primary tabs:

Policy Components: Supports searching and viewing policy components: types, type attributes, type aliases, object classes, object permissions, roles, users, initial SIDs, and SElinux Booleans.
Policy Rules: Supports working with policy rules: allow , neverallow , auditallow , dontaudit , type_transition , and type_change declarations.
Analysis: Supports several analysis operations, including forward and reverse domain transition analyses, direct information flow analysis, and indirect (transitive) information flow analysis.
policy.conf: Enables you to view the policy.conf file.

The following subsections describe the operations associated with Apol's first three tabs. You can learn more about Apol by studying its help file, available via the Help menu.

9.10.1.1 Policy components

As shown in Figure 9-1, the Policy Components tab contains six secondary tabs related to the policy component types:

Types: Lets you search types, type attributes, and aliases by specifying a regular expression. Double-clicking a type, attribute, or alias provides a summary description. The Search Results window displays policy.conf lines related to types and attributes having names matching the regular expression.
Classes/Perms: Lets you search object classes, common permissions, and permissions by specifying a regular expression. The Search Results window displays policy.conf lines related to object classes having names matching the regular expression. Double-clicking a class, common permission, or permission provides a summary description. Figure 9-2 shows a sample query and its result.
Roles: Lets you search roles and their attributes by specifying regular expressions for role or type. The tab makes it simple to identify all roles that include a specified type. Double-clicking a role provides a summary description. Figure 9-3 shows the result of a query requesting all roles.
Users: Lets you search SELinux user identities and their associated roles. Figure 9-4 shows the result of a query requesting all users.
Initial SIDs: Lets you search initial SIDs and their associated security contexts. Figure 9-5 shows the result of a query requesting all initial SIDs.
Booleans: Lets you search SELinux Booleans. Figure 9-6 shows the result of a query requesting all Booleans.

Figure 9-2. Apol's Classes/Perms tab

Figure 9-3. Apol's Roles tab

Figure 9-4. Apol's Users tab

Figure 9-5. Apol's Initial SIDs tab

Figure 9-6. Apol's Booleans tab

Figure 9-7. Apol's Policy Rules tab

9.10.1.2 Policy rules

Figure 9-7 shows Apol's Policy Rules tab, which contains three secondary tabs:

TE Rules: This tab lets you search type-enforcement rules. The tab supports several search criteria:
Rule Selection: Lets you narrow the scope of a search to include only specified rules.
Type/Attributes: Lets you search by types and type attributes used as source, target, or default types in rules.
Classes/Permissions: Lets you search by object classes and permissions, returning only rules that reference the specified classes and permissions.

The results window displays all rules matching the specified search criteria. Each displayed rule includes a hyperlink that points to the rule's place in the policy.conf file.

RBAC Rules: Figure 9-8 shows the RBAC tab, which lets you search role-based access control rules in much the same way as the TE tab lets you search type enforcement rules.
Conditional Expressions: Figure 9-9 shows the Conditional Expressions tab, which lets you search conditional expressions for the following rule types:

audit rules
allow rules
transition rules

You can search by specifying a regular expression that matches the name of a Boolean appearing within a conditional expression. Each rule displayed in the results window include a hyperlink that points to the rule's location within the policy.conf file.

Figure 9-8. Apol's RBAC Rules tab

Figure 9-9. Apol's Conditional Expressions tab

9.10.1.3 Analysis

The Analysis tab is perhaps the most interesting and useful of Apol's tabs. It enables you to perform three types of analysis:

Domain transition analysis

We generally think of a domain transition as a single step involving two domains: the source (beginning) domain and the target (ending) domain. But suppose your SELinux policy permits domain A to transition to domain B and also permits domain B to transition to domain C. There's no single-step path between domains A and C. Nevertheless, by executing two transitions a process can move from domain A to domain C.

A forward domain analysis shows the domains that can be reached in one or more transition steps from a given domain. To perform a forward domain transition analysis, you first specify a source domain. Apol then presents a tree identifying the target domains that can be reached directly from the specified source domain. Using a mouse or other pointing device, you can walk the tree, inspecting the rules that authorize each transition. Figure 9-10 shows the result of a simple forward domain analysis.

Figure 9-10. A forward domain analysis

A reverse domain analysis simply goes in the opposite direction. You specify a target domain, and Apol identifies the source domains that can reach the specified source domain in one or more transition steps.

Direct information flow analysis: Direct information flow analysis generalizes the domain analysis operation in two respects. First, it lets you specify the direction of the relationship between domains as IN, OUT, EITHER, or BOTH. Second, the relationship extends beyond domain transitions to include information flows. Roughly speaking, an information flow exists between two domains if one member of the pair can read or write objects having the type of the other member of the pair. For a more precise explanation of information flows, see the white paper titled An Overview of Information Flow Analysis , available on the Tresys web site.
Indirect (transitive) information flow analysis: Indirect information flow analysis generalizes direct information flow analysis by showing relationships along indirect paths between pairs of domains. For instance, suppose that no information flow exists between domains A and C. If an information flow exists between domains A and B, and another exists between domains B and C, an indirect information flow may exist between domains A and C. Informally, indirect information flow analysis shows which domains interact with other domains. See the Apol help file for more information on indirect information flow analysis.

9.10.2 Seaudit

Figure 9-11 shows the main window of Seaudit, a GUI tool for viewing AVC messages within system logs. Seaudit can display results in real or nonreal time. Menu items let you specify the columns to be displayed, and search buttons let you construct, save, and run queries that select only a subset of log messages. You can also query the SELinux policy based on information contained within a log entry.

Figure 9-11. The Seaudit main window

9.10.3 Sepcut

Sepcut helps you browse and edit policy component files. Figure 9-12 shows Sepcut's main window. The window includes three main tabs:

Figure 9-12. Sepcut's main window

Browse Policy: Lets you view and modify policy component files.
Policy Modules: Lets you view or edit policy modules and individually enable or disable them. The term policy module refers to a pair of files consisting of an FC file and a TE file.
Test Policy: Lets you compile and load a policy.

9.10.4 Seuserx

Seuserx lets you add, change, and delete Linux and SELinux users. Its main window, shown in Figure 9-13, includes five buttons, as well as an Exit button:

Figure 9-13. Seuserx's main window

Add: Lets you add a new user.
View/Change: Lets you view and change user characteristics.
Delete: Lets you delete a user.
Advanced: Lets you configure characteristics of generic users ”users who don't have specific SELinux identities and are therefore associated with the user_u SELinux identity.
Update Policy: When you exit Suserx, it automatically loads a new security policy reflecting any changes you've made. However, you can use the Update Policy button to manually load a new policy whenever you like