Tools For Manipulating And Analyzing Selinux; Information Gathering Tools - Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE Manual

Tools for Manipulating and Analyzing SELinux

An administrator's job may include analyzing and possibly manipulating the SELinux policy, as well
as doing performance analysis and tuning. This chapter discusses analysis and tuning.
For policy manipulation, you may wish to support a new daemon or discover and fix a problem, as
discussed in Chapter 8 Customizing and Writing Policy. One early step to writing policy is analyzing
existing policy so that you understand how it works. One example of this is given in Section 2.9.1 How
To Backtrack a Rule, where a macro is analyzed through the process of backtracking to the source of
a set of rules.
While some effective policy analysis can be done using standard command line text manipulation
tools, sophisticated policy analysis requires stronger tools. The simpler targeted policy consists of
more than 20,000 concatenated lines in
and thousands of lines of TE rules and file context settings, all interacting in very complex ways. Tools
such as apol are designed specifically for doing analysis of SELinux policy. This chapter discusses
these tools, which are part of the
apol, several command line tools that are useful for gathering information and statistics are explained.
Analysis is also necessary when doing performance tuning. Due to the real and potential workload
imposed by the AVC system, you may have some situations where being able to manipulate how this
works is useful to improving performance. This chapter presents some methods to tune your SELinux
installation.
In order to use these applications, you need both the
installed. The other packages you need come with the SELinux installation:
policycoreutils
Tip
When you are running a privileged application over
have root privileges, you must use the
ssh -Y root@host.example.com
The configuration requiring this is enabled by default and is new to Red Hat Enterprise Linux 4.

6.1. Information Gathering Tools

These tools are command line tools, providing formatted output. They are harder to use as part of
command line piping, but they provide gathered and well formatted information quickly.
avcstat
This provides a short output of the access vector cache statistics since boot. You can watch the
statistics in real time by specifying a time interval in seconds. This provides updated statistics
since the initial output. The statistics file used is
specify a different cache file with the
for reviewing saved snapshots of
avcstat
lookups
194658175
policy.conf
setools
.
/selinux/avc/cache_stats
hits misses
194645272 12903
, which is derived from more than 150 macros
package. In addition to the GUI analysis tools seaudit and
setools
, meaning an application that requires you to
ssh
option. This option enables trusted X11 forwarding:
-Y
/selinux/avc/cache_stats
-f /path/to/file
allocs
12903
Chapter 6.
and
setools-gui
libselinux
. For example, this might be useful
.
reclaims frees
880 12402
packages
and
, and you can