4.11. Information Gathering Tools
The utilities listed below are command-line tools that provide well-formatted information, such as access vector cache statistics or the number of classes, types, or Booleans.
avcstat
This command provides a short output of the access vector cache statistics since boot. You can watch the statistics in real time by specifying a time interval in seconds. This provides updated statistics since the initial output. The statistics file used is
/sys/fs/selinux/avc/cache_stats
, and you can specify a different cache file with the -f /path/to/file
option.
~]#
avcstat
lookups hits misses allocs reclaims frees 47517410 47504630 12780 12780 12176 12275
seinfo
This utility is useful in describing the break-down of a policy, such as the number of classes, types, Booleans, allow rules, and others.
seinfo
is a command-line utility that uses a policy.conf
file, a binary policy file, a modular list of policy packages, or a policy list file as input. You must have the setools-console package installed to use the seinfo
utility.
The output of
seinfo
will vary between binary and source files. For example, the policy source file uses the { }
brackets to group multiple rule elements onto a single line. A similar effect happens with attributes, where a single attribute expands into one or many types. Because these are expanded and no longer relevant in the binary policy file, they have a return value of zero in the search results. However, the number of rules greatly increases as each formerly one line rule using brackets is now a number of individual lines.
Some items are not present in the binary policy. For example, neverallow rules are only checked during policy compile, not during runtime, and initial Security Identifiers (SIDs) are not part of the binary policy since they are required prior to the policy being loaded by the kernel during boot.
~]#
seinfo
Statistics for policy file: /sys/fs/selinux/policy Policy Version & Type: v.28 (binary, mls) Classes: 77 Permissions: 229 Sensitivities: 1 Categories: 1024 Types: 3001 Attributes: 244 Users: 9 Roles: 13 Booleans: 158 Cond. Expr.: 193 Allow: 262796 Neverallow: 0 Auditallow: 44 Dontaudit: 156710 Type_trans: 10760 Type_change: 38 Type_member: 44 Role allow: 20 Role_trans: 237 Range_trans: 2546 Constraints: 62 Validatetrans: 0 Initial SIDs: 27 Fs_use: 22 Genfscon: 82 Portcon: 373 Netifcon: 0 Nodecon: 0 Permissives: 22 Polcap: 2
The
seinfo
utility can also list the number of types with the domain attribute, giving an estimate of the number of different confined processes:
~]#
seinfo -adomain -x | wc -l
550
Not all domain types are confined. To look at the number of unconfined domains, use the
unconfined_domain
attribute:
~]#
seinfo -aunconfined_domain_type -x | wc -l
52
Permissive domains can be counted with the
--permissive
option:
~]#
seinfo --permissive -x | wc -l
31
Remove the additional
| wc -l
command in the above commands to see the full lists.
sesearch
You can use the
sesearch
utility to search for a particular rule in the policy. It is possible to search either policy source files or the binary file. For example:
~]$
sesearch --role_allow -t httpd_sys_content_t
Found 20 role allow rules: allow system_r sysadm_r; allow sysadm_r system_r; allow sysadm_r staff_r; allow sysadm_r user_r; allow system_r git_shell_r; allow system_r guest_r; allow logadm_r system_r; allow system_r logadm_r; allow system_r nx_server_r; allow system_r staff_r; allow staff_r logadm_r; allow staff_r sysadm_r; allow staff_r unconfined_r; allow staff_r webadm_r; allow unconfined_r system_r; allow system_r unconfined_r; allow system_r user_r; allow webadm_r system_r; allow system_r webadm_r; allow system_r xguest_r;
The
sesearch
utility can provide the number of allow rules:
~]#
sesearch --allow | wc -l
262798
And the number of dontaudit rules:
~]#
sesearch --dontaudit | wc -l
156712