October 12th, 2011

setrans is a handy little tool to analyze policy transitions

For several years we have had a SELinux tool set called setools that allows you to analyse policy.  I use sesearch and seinfo all the time for looking at policy.  setools includes a tcl/tk interface, called apol,  that allows you to ask really complicated questions in policy about whether one process and read/write a file, even through process transitions.  The problem is the GUI is a little clunky, and I don't like GUIs.

A few years ago I added python bindings for sesearch and seinfo to the setools/apol libraries.  These python interfaces are used within some of the semanage tool chain.  

I often see an AVC about one domain not being able to write to another domains files.  Usually these types of avc's are caused by passing an open file descriptor, like stdout, from one process to another process.    Sometimes I am puzzled by the relationship between the two domains.  I recently got an AVC about ldconfig_t not being able to write to a chr_file labeled mock_var_lib_t.   How does the ldconfig program even know about a chr_file labeled mock_var_lib_t?  How did did mock transition to the ldconfig domain? 

Well I wrote a tool, setrans, that helps answer these question.  The tool takes two domain/process types and attempts to see if the first
type can transition to the second type, and then print all of the intermediary types that it used to get from one domain to the other.

./setrans init_t httpd_t
init_t --> httpd_t

./setrans mock_t ldconfig_t
mock_t --> mount_t --> insmod_t --> initrc_t --> ldconfig_t

./setrans mock_t user_t
mock_t --> mount_t --> insmod_t --> initrc_t --> stunnel_t --> rlogind_t --> remote_login_t --> unpriv_userdomain --> user_t
mock_t --> mount_t --> insmod_t --> initrc_t --> crond_t --> user_t
mock_t --> mount_t --> insmod_t --> initrc_t --> getty_t --> local_login_t --> userdomain --> user_t
mock_t --> mount_t --> insmod_t --> initrc_t --> xdm_t --> gkeyringd_domain --> user_t

I know that it is not complete and will not show all paths, but it is pretty useful for quick analyses of the policy.