-
Notifications
You must be signed in to change notification settings - Fork 34
Changes Since SETools v3
SETools v4 is a rewrite of SETools in Python. The most-used tools have been reimplemented:
Additionally, two new tools were added:
- seinfoflow (a command-line information flow analysis)
- sedta (a command-line domain transition analysis)
SETools' handling of policy has been simplified. Previously loading of a set of modules (*.pp)
was supported, but this usage was atypical and ignored local customizations being applied
by semanage. Now all tools will work only on the binary (kernel) policy (e.g. policy.x or sepolicy)
or a monolithic policy source file (typically policy.conf).
In general, the command line behavior of tools was retained, but there are a few minor differences,
especially due to the use of Python's argparse command line parser. Additionally, all tools now have two
new options: -v for more additional processing information, and --debug
for debugging information.
seinfo's previous command line options remain the same, though there are more options due to new
SETools features. A space is now supported between the switch and their optional arguments:
seinfo -t type_t
However, the optional arguments are chosen over specifying a policy. e.g.
-
seinfo --permissivemeans get all permissive types from the loaded policy. -
seinfo --permissive sepolicymeans look for a permissive type calledsepolicyfrom the loaded policy -
seinfo sepolicy --permissivemeans get all permissive types from thesepolicypolicy file. -
seinfo sepolicy --permissive system_servermeans look or a permissive type calledsystem_serverfrom thesepolicyfile. -
seinfo --permissive -x sepolicymeans get all permissive types from thesepolicypolicy file and print additional info on them.
Most sesearch behavior is the same.
- The
-Aoption will now search forallowxpermrules, in addition toallowrules. - The
-Coption was removed as the expressions for conditional rules will always be printed. - The
-d(directly match attributes instead of their contents) option was split into individual options for source (-ds) and target (-dt) so the behavior can be better controlled. - The
-rregular expression matching option was split into options for each field (except rule type)-rs,-rt,-rc,-rd,-rb, for regex matching on the source, target, object class, default, and Boolean.
Because of the simplified policy handling, the ; is not needed on the command line.
SETools 3:
$ sediff old-policy.30 \; new-policy.30
SETools 4:
$ sediff old-policy.30 new-policy.30
- The
-Aoption will now diffallowxpermrules, in addition toallowrules. - The
-qoption has been removed. Nowsediffwill now always behave like the old-qflag, only printing headers if there is a difference or if the component is explicitly requested. For example, the header for allow rules will always be printed, even if there are no differences, if the--allowoption is specified. If all differences are requested, only headers for components that have differences will be printed.
apol was completely redesigned with the Qt graphics toolkit. The changes from SETools v3 are too
numerous to list here. The highlights are:
- The organization is simplified into a single top-level tab bar, with single menu of analysis options to choose.
- Different types of analysis tabs can be opened side by side.
- Analysis tabs can be renamed to make working on a large analysis easier.
- In each analysis tab:
- Where relevant, there is a table-based view of the analysis results, with sorting.
- The criteria can be hidden by unchecking a checkbox.
- There is a notes field for taking notes on results.
The SETools source code tree now provides automated tests for verifying correctness of the library functions. Additionally, during development, the TravisCI continuous integration service is used so tests are checked each time code is pushed to the repository. The 4.0.0 release has 95% test coverage.