5.10. Information Gathering Tools
The utilities listed bellow are command-line tools that provide well-formatted information, such as access vector cache statistics or the number of classes, types, or Booleans.
avcstat
This command provides a short output of the access vector cache statistics since boot. You can watch the statistics in real time by specifying a time interval in seconds. This provides updated statistics since the initial output. The statistics file used is
/selinux/avc/cache_stats, and you can specify a different cache file with the -f /path/to/file option.
~]# avcstat
lookups hits misses allocs reclaims frees
47517410 47504630 12780 12780 12176 12275
seinfo
This utility is useful in describing the break-down of a policy, such as the number of classes, types, Booleans, allow rules, and others.
seinfo is a command-line utility that uses a policy.conf file (a single text file containing policy source for versions 12 through 21), a binary policy file, a modular list of policy packages, or a policy list file as input. You must have the setools-console package installed to use the seinfo utility.
The output of
seinfo will vary between binary and source files. For example, the policy source file uses the { } brackets to group multiple rule elements onto a single line. A similar effect happens with attributes, where a single attribute expands into one or many types. Because these are expanded and no longer relevant in the binary policy file, they have a return value of zero in the search results. However, the number of rules greatly increases as each formerly one line rule using brackets is now a number of individual lines.
Some items are not present in the binary policy. For example, neverallow rules are only checked during policy compile, not during runtime, and initial SIDs are not part of the binary policy since they are required prior to the policy being loaded by the kernel during boot.
~]# seinfo
Statistics for policy file: /etc/selinux/targeted/policy/policy.24
Policy Version & Type: v.24 (binary, mls)
Classes: 77 Permissions: 229
Sensitivities: 1 Categories: 1024
Types: 3001 Attributes: 244
Users: 9 Roles: 13
Booleans: 158 Cond. Expr.: 193
Allow: 262796 Neverallow: 0
Auditallow: 44 Dontaudit: 156710
Type_trans: 10760 Type_change: 38
Type_member: 44 Role allow: 20
Role_trans: 237 Range_trans: 2546
Constraints: 62 Validatetrans: 0
Initial SIDs: 27 Fs_use: 22
Genfscon: 82 Portcon: 373
Netifcon: 0 Nodecon: 0
Permissives: 22 Polcap: 2
The
seinfo command can also list the number of types with the domain attribute, giving an estimate of the number of different confined processes:
~]# seinfo -adomain -x | wc -l
550
Not all domain types are confined. To look at the number of unconfined domains, use the unconfined_domain attribute:
~]# seinfo -aunconfined_domain_type -x | wc -l
52
Permissive domains can be counted with the
--permissive option.
~]# seinfo --permissive -x | wc -l
31
Remove the
| wc -l option in the above commands to see the full lists.
sesearch
You can use the
sesearch command to search for a particular type in the policy. You can search either policy source files or the binary file. For example:
~]$ sesearch --role_allow -t httpd_sys_content_t /etc/selinux/targeted/policy/policy.24
Found 20 role allow rules:
allow system_r sysadm_r;
allow sysadm_r system_r;
allow sysadm_r staff_r;
allow sysadm_r user_r;
allow system_r git_shell_r;
allow system_r guest_r;
allow logadm_r system_r;
allow system_r logadm_r;
allow system_r nx_server_r;
allow system_r staff_r;
allow staff_r logadm_r;
allow staff_r sysadm_r;
allow staff_r unconfined_r;
allow staff_r webadm_r;
allow unconfined_r system_r;
allow system_r unconfined_r;
allow system_r user_r;
allow webadm_r system_r;
allow system_r webadm_r;
allow system_r xguest_r;
The
sesearch command can provide the number of allow rules:
~]# sesearch --allow | wc -l
262798
And the number of dontaudit rules:
~]# sesearch --dontaudit | wc -l
156712
