Configuring high-end SELinux (Security-enhanced Linux) policies can be a daunting challenge to system administrators,
especially those who are new to the concepts and processes. But there are a number of useful tools available that will help you write, analyze and report on your policy. In this tip we'll look at one of these tools: SETools, a free open source product from Tresys Technology.
How does SETools help you out? The SETools package combines a number of different tools to assist you in working with SELinux policies. These include:
- apol -- Analyzes SELinux policies
- sediff -- Performs diffs on SELinux policy
- seaudit -- Analyzes audit messages
- sechecker -- Check SELinux policy
Let's start by installing SETools. You can setup SETools from a package or from source. For Red Hat Enterprise Linux 5 and Fedora Core 6+, packages should exist in the default repositories. On Fedora Core you would install SETools using yum:
# yum install setools setools-gui
(Note: The SETools versions available from the default repositories may not be up to date. At the time of writing, version 3.1 was available.)
Should you need to install SETools via source or you would just like a more recent version, then you need to install some applications. In addition to requiring the standard suite of development tools, SETools also requires the following:
- libselinux and libselinux-devel
- libsepol and libsepol-devel
- libxml2 and libxml2-devel
- sqlite and sqlite-devel
- tcl and tcl-devel
- tk and tk-devel
- libglade2 and libglade2-devel
The package names assume you're running Red Hat Enterprise Linux or a variation such as Fedora or CentOS. Many of these prerequisites may already be present on your host. The apol tool also requires, BWidget (version 1.7 or later). A BWidget package is included with SETools in the packages directory or you can install it via your distribution's package manager. If you don't need or want to use the GUI tools, you can disable the requirement for BWidget using the --disable-bwidget-check configure script option.
Once you've satisfied all the prerequisites, you can download SETools and compile it. The most current version of SETools is 3.3.1.
# wget http://oss.tresys.com/projects/setools/chrome/site/dists/setools-3.3.1/setools-3.3.1.tar.gz # tar -zxf setools-3.3.1.tar.gz # cd setools-3.3.1 # ./configure # make
After you have compiled SETools, the next step is to install it.
# make install
SETools also comes with an audit report integration Logwatch. With Logwatch and SETools installed you can automate the sending of customized audit reports via email. This turns SETools into a simple host IDS (intrusion detection system). You can install this integration (you must have Logwatch installed first) via the make install-logwatch target.
# make install-logwatch
This will install the required scripts and configuration files into the /etc/logwatch directory. The tools will send email reports via the Logwatch framework. You can also customize those reports to suit your requirements by altering the installed configuration file.
Now that you have SETools installed, you can make some use of it. The most interesting tools to try first are the graphical tools. The first of these tools is the apol policy analyzer. It is a graphical interface that provides the ability to browse and search through your SELinux policy. It has a variety of automated analysis reports that allow you to see how your policies interact and flow.
Next is the seaudit graphical tool which parses the /var/log/messages file and displays all SELinux audit messages. It provides a link between this output and your policies and can query policy for rules related to a particular message. It is also a convenient way of browsing your current SELinux-related log messages.
Secdiffx is a graphical diff engine that can compare two policies. There is also a command line version of this tool called secdiff. It highlights and lists differences between rules, roles, types, classes and permissions amongst other attributes of your policies. It is particularly useful after incrementing your policy to a new version to ensure you haven't missed, orphaned or not updated any elements of your policy.
Aside from the graphical tools, a popular and probably the most useful tool in the SETools kit is the command line based sechecker. The sechecker tool performs modular checks on policy and creates a report that details any errors or security issues. To do this sechecker has a number of profiles. Profiles analyze policies according to particular criteria, for example, the profile called attribs_wo_rules will return all attributes not used in any rule. To use sechecker we specify the particular profile to run against your policy and the location of our policy file:
# sechecker -p attribs_wo_rules /etc/selinux/melb_net/policy/policy.5
Here we run sechecker using the attributes without rules profile against one of our policies. There are also generic profiles that contain groups of other profiles, for example, the all profile will run all checks and the analysis profile that combines some common and useful profiles.
# sechecker -p analysis /etc/selinux/melb_net/policy/policy.5
You can see a full list of profiles by running sechecker with the –l option.
# sechecker –l
In addition to sechecker there are also a number of other command line tools: for example, seinfo, which returns statistics about your policy. There is also the sesearch tool, a policy search tool and a variety of tools to work with file contexts.
With the many challenges and complexities of implementing SELinux, the SETools package provides a number of useful and powerful tools to help you through the process of implementing and managing your policy.
About the author: James Turnbull is the author of Pro Nagios 2.0. and Hardening Linux. A security architect for the National Australia Bank, James is the resident security expert for SearchEnterpriseLinux.com. Recently, James discussed how to use iptables against SSH attacks