Chapter 6.


Tools for Manipulating and Analyzing SELinux


An administrator's job may include analyzing and possibly manipulating the SELinux policy, as well


as doing performance analysis and tuning. This chapter discusses analysis and tuning.


For policy manipulation, you may wish to support a new daemon or discover and fix a problem, as


discussed in Chapter 8 Customizing and Writing Policy. One early step to writing policy is analyzing


existing policy so that you understand how it works. One example of this is given in Section 2.9.1 How


To Backtrack a Rule, where a macro is analyzed through the process of backtracking to the source of


a set of rules.


While some effective policy analysis can be done using standard command line text manipulation


tools, sophisticated policy analysis requires stronger tools. The simpler targeted policy consists of


more than 20,000 concatenated lines in


policy.conf


, which is derived from more than 150 macros


and thousands of lines of TE rules and file context settings, all interacting in very complex ways. Tools


such as apol are designed specifically for doing analysis of SELinux policy. This chapter discusses


these tools, which are part of the


setools


package. In addition to the GUI analysis tools seaudit and


apol, several command line tools that are useful for gathering information and statistics are explained.


Analysis is also necessary when doing performance tuning. Due to the real and potential workload


imposed by the AVC system, you may have some situations where being able to manipulate how this


works is useful to improving performance. This chapter presents some methods to tune your SELinux


installation.


In order to use these applications, you need both the


setools


and


setools gui


packages


installed. The other packages you need come with the SELinux installation:


libselinux


and


policycoreutils


.


Tip


When you are running a privileged application over ssh, meaning an application that requires you to


have root privileges, you must use the  Y option. This option enables trusted X11 forwarding:


ssh  Y root@host.example.com


The configuration requiring this is enabled by default and is new to Red Hat Enterprise Linux 4.


6.1. Information Gathering Tools


These tools are command line tools, providing formatted output. They are harder to use as part of


command line piping, but they provide gathered and well formatted information quickly.


avcstat


This provides a short output of the access vector cache statistics since boot. You can watch the


statistics in real time by specifying a time interval in seconds. This provides updated statistics


since the initial output. The statistics file used is


/selinux/avc/cache_stats


, and you can


specify a different cache file with the


 f /path/to/file


. For example, this might be useful


for reviewing saved snapshots of


/selinux/avc/cache_stats


.


avcstat


lookups


hits


misses


allocs


reclaims


frees


194658175


194645272


12903


12903


880


12402








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved