danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
New Security Feature in Fedora 18 Part 8: Introducing sepolicy
danwalsh
Over the years people have struggled to understand SELinux Policy and how it confined applications.  Administrators would want to know what types the Apache process can read or write.  What booleans were available for samba.  Can one domain write to the users home directory?

sepolicy python bindings

The tool suite we had to do this was called setools, which included apol (A tcl/tk graphical tool) and sesearch and seinfo.  I found that I hardly ever used apol and mainly used sesearch and seinfo.  But I wanted more control.  I decided to add python bindings for these two commands, which in prior releases were in setools package.  These python bindings were rejected for merging upstream, for whatever reason.  I decided to move them into their own package sepolicy.

> python
Python 2.7.3 (default, Aug  9 2012, 17:23:57)
[GCC 4.7.1 20120720 (Red Hat 4.7.1-5)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import sepolicy
>>> sepolicy.info(sepolicy.ATTRIBUTE)

Returns a dictionary of all information about SELinux Attributes
>>>sepolicy.search([sepolicy.ALLOW])
Returns you a dictionary of all allow rules in the policy.

sepolicy command

Using these python bindings we have begun to build  a new series of commands that I have found very useful for understanding policy.  I decided to combine these tools into a new command line tool sepolicy.    Some of these tools I have blogged about in the past but now I have consolidated them into a single tool and made it part of the distribution.  Over the next couple of blogs I will explain some of the tools.

> man sepolicy

sepolicy(8)                                                                                                                            sepolicy(8)

NAME
       sepolicy - SELinux Policy Inspection tool

SYNOPSIS
       semanage {manpage,network,communicate,transition,generate} OPTIONS

       Arguments:

       communicate
       Query SELinux policy to see if domains can communicate with each other sepolicy-communicate(8)

       generate
       Generate SELinux Policy module template sepolicy-generate(8)

       manpage
       Generate SELinux man pages sepolicy-manpage(8)

       network
       Query SELinux policy network information sepolicy-network(8)

       transition
       Query SELinux Policy to see how a source process domain can transition to the target process domain sepolicy-transition(8)

DESCRIPTION
       sepolicy  is  a  tools set that will query the installed SELinux policy and generate useful reports, man pages, or even new policy modules.
       See the argument specific man pages for options and descriptions.


You are viewing danwalsh