Chapter 6. Tools for Manipulating and Analyzing SELinux


83


avc: granted { setbool } for pid=3803 exe=/usr/sbin/togglesebool \


scontext=root:system_r:unconfined_t \


tcontext=system_u:object_r:security_t tclass=security


...


Deny Listing


            


Number of messages: 8


Feb 06 19:42:45 urania kernel: audit(1107747765.871:7550947): \


avc: denied { getattr } for pid=2479 exe=/usr/sbin/httpd \


path=/home/auser/public_html dev=hdb2 ino=921135 \


scontext=user_u:system_r:httpd_t \


tcontext=system_u:object_r:user_home_t tclass=dir


Feb 06 19:42:45 urania kernel: audit(1107747765.872:7550962): \


avc: denied { getattr } for pid=2479 exe=/usr/sbin/httpd \


path=/home/auser/public_html dev=hdb2 ino=921135 \


scontext=user_u:system_r:httpd_t \


tcontext=system_u:object_r:user_home_t tclass=dir


...


# End


6.3. Using apol for Policy Analysis


There are many aspects to a formal security policy analysis. In this guide, policy analysis refers to


analyzing SELinux policy to discover the relationship between types defined in the policy. This section


presents apol, which is designed specifically for analyzing policy.


Policy analysis is not only performed on running systems, but is an integral part of designing and


writing a policy. You can analyze your custom policy using apol as part of your testing process,


before you load it on a machine. apol can help you discover unexpected and undesirable results of


your policy writing decisions. It helps show the differences between versions or kinds of policy. For


example, you can analyze each iteration of your policy, reusing saved queries, looking for information


leaks or unwanted transitions.


Policy analysis with apol is many magnitudes more complex than audit log analysis with seaudit.


The


setools


package comes with several important documents to read in order to understand how


to properly utilize apol, as well as how to interpret your results. Reading the documentation from


/usr/share/doc/setools  version


is recommended:


]


^


  apol_help.txt


  This detailed help file describes how to use all of the features of apol, as well


as a walkthrough of the tabbed interface.


  dta_help.txt


  This is an overview of domain transition analysis (DTA), which studies the


ability of processes to change their domains in a particular policy.


  iflow_help.txt


  This is an overview of information flow analysis, which finds the expected


and unexpected possible routes information can travel between two types in a policy.


  types_relation_help.txt


  This help file discusses analyzing the relationship between two


types. Information flow analysis is essentially what you are doing when you analyze the policy.


The topics each of these help files covers is central to the task of analyzing SELinux policy. The apol


UI is organized around these tasks. The following sections explain these tasks, discussing how to


utilize the GUI for your analysis work.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved