Chapter 6. Tools for Manipulating and Analyzing SELinux
83
avc: granted { setbool } for pid=3803 exe=/usr/sbin/togglesebool \
scontext=root:system_r:unconfined_t \
tcontext=system_u:object_r:security_t tclass=security
...
Deny Listing
            
Number of messages: 8
Feb 06 19:42:45 urania kernel: audit(1107747765.871:7550947): \
avc: denied { getattr } for pid=2479 exe=/usr/sbin/httpd \
path=/home/auser/public_html dev=hdb2 ino=921135 \
scontext=user_u:system_r:httpd_t \
tcontext=system_u:object_r:user_home_t tclass=dir
Feb 06 19:42:45 urania kernel: audit(1107747765.872:7550962): \
avc: denied { getattr } for pid=2479 exe=/usr/sbin/httpd \
path=/home/auser/public_html dev=hdb2 ino=921135 \
scontext=user_u:system_r:httpd_t \
tcontext=system_u:object_r:user_home_t tclass=dir
...
# End
6.3. Using apol for Policy Analysis
There are many aspects to a formal security policy analysis. In this guide, policy analysis refers to
analyzing SELinux policy to discover the relationship between types defined in the policy. This section
presents apol, which is designed specifically for analyzing policy.
Policy analysis is not only performed on running systems, but is an integral part of designing and
writing a policy. You can analyze your custom policy using apol as part of your testing process,
before you load it on a machine. apol can help you discover unexpected and undesirable results of
your policy writing decisions. It helps show the differences between versions or kinds of policy. For
example, you can analyze each iteration of your policy, reusing saved queries, looking for information
leaks or unwanted transitions.
Policy analysis with apol is many magnitudes more complex than audit log analysis with seaudit.
The
setools
package comes with several important documents to read in order to understand how
to properly utilize apol, as well as how to interpret your results. Reading the documentation from
/usr/share/doc/setools  version
is recommended:
]
^
  apol_help.txt
  This detailed help file describes how to use all of the features of apol, as well
as a walkthrough of the tabbed interface.
  dta_help.txt
  This is an overview of domain transition analysis (DTA), which studies the
ability of processes to change their domains in a particular policy.
  iflow_help.txt
  This is an overview of information flow analysis, which finds the expected
and unexpected possible routes information can travel between two types in a policy.
  types_relation_help.txt
  This help file discusses analyzing the relationship between two
types. Information flow analysis is essentially what you are doing when you analyze the policy.
The topics each of these help files covers is central to the task of analyzing SELinux policy. The apol
UI is organized around these tasks. The following sections explain these tasks, discussing how to
utilize the GUI for your analysis work.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved