Chapter 6.
Tools for Manipulating and Analyzing SELinux
An administrator's job may include analyzing and possibly manipulating the SELinux policy, as well
as doing performance analysis and tuning. This chapter discusses analysis and tuning.
For policy manipulation, you may wish to support a new daemon or discover and fix a problem, as
discussed in Chapter 8 Customizing and Writing Policy. One early step to writing policy is analyzing
existing policy so that you understand how it works. One example of this is given in Section 2.9.1 How
To Backtrack a Rule, where a macro is analyzed through the process of backtracking to the source of
a set of rules.
While some effective policy analysis can be done using standard command line text manipulation
tools, sophisticated policy analysis requires stronger tools. The simpler targeted policy consists of
more than 20,000 concatenated lines in
policy.conf
, which is derived from more than 150 macros
and thousands of lines of TE rules and file context settings, all interacting in very complex ways. Tools
such as apol are designed specifically for doing analysis of SELinux policy. This chapter discusses
these tools, which are part of the
setools
package. In addition to the GUI analysis tools seaudit and
apol, several command line tools that are useful for gathering information and statistics are explained.
Analysis is also necessary when doing performance tuning. Due to the real and potential workload
imposed by the AVC system, you may have some situations where being able to manipulate how this
works is useful to improving performance. This chapter presents some methods to tune your SELinux
installation.
In order to use these applications, you need both the
setools
and
setools gui
packages
installed. The other packages you need come with the SELinux installation:
libselinux
and
policycoreutils
.
Tip
When you are running a privileged application over ssh, meaning an application that requires you to
have root privileges, you must use the Y option. This option enables trusted X11 forwarding:
ssh Y root@host.example.com
The configuration requiring this is enabled by default and is new to Red Hat Enterprise Linux 4.
6.1. Information Gathering Tools
These tools are command line tools, providing formatted output. They are harder to use as part of
command line piping, but they provide gathered and well formatted information quickly.
avcstat
This provides a short output of the access vector cache statistics since boot. You can watch the
statistics in real time by specifying a time interval in seconds. This provides updated statistics
since the initial output. The statistics file used is
/selinux/avc/cache_stats
, and you can
specify a different cache file with the
f /path/to/file
. For example, this might be useful
for reviewing saved snapshots of
/selinux/avc/cache_stats
.
avcstat
lookups
hits
misses
allocs
reclaims
frees
194658175
194645272
12903
12903
880
12402
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved