Skip to content

Changes Since SETools v3

Chris PeBenito edited this page Jun 16, 2018 · 4 revisions

What's Changed Since SETools v3

SETools v4 is a rewrite of SETools in Python. The most-used tools have been reimplemented:

Additionally, two new tools were added:

  • seinfoflow (a command-line information flow analysis)
  • sedta (a command-line domain transition analysis)

Policy Handling Differences

SETools' handling of policy has been simplified. Previously loading of a set of modules (*.pp) was supported, but this usage was atypical and ignored local customizations being applied by semanage. Now all tools will work only on the binary (kernel) policy (e.g. policy.x or sepolicy) or a monolithic policy source file (typically policy.conf).

Command Line Differences

In general, the command line behavior of tools was retained, but there are a few minor differences, especially due to the use of Python's argparse command line parser. Additionally, all tools now have two new options: -v for more additional processing information, and --debug for debugging information.

seinfo

seinfo's previous command line options remain the same, though there are more options due to new SETools features. A space is now supported between the switch and their optional arguments:

seinfo -t type_t

However, the optional arguments are chosen over specifying a policy. e.g.

  • seinfo --permissive means get all permissive types from the loaded policy.
  • seinfo --permissive sepolicy means look for a permissive type called sepolicy from the loaded policy
  • seinfo sepolicy --permissive means get all permissive types from the sepolicy policy file.
  • seinfo sepolicy --permissive system_server means look or a permissive type called system_server from the sepolicy file.
  • seinfo --permissive -x sepolicy means get all permissive types from the sepolicy policy file and print additional info on them.

sesearch

Most sesearch behavior is the same.

  • The -A option will now search for allowxperm rules, in addition to allow rules.
  • The -C option was removed as the expressions for conditional rules will always be printed.
  • The -d (directly match attributes instead of their contents) option was split into individual options for source (-ds) and target (-dt) so the behavior can be better controlled.
  • The -r regular expression matching option was split into options for each field (except rule type) -rs, -rt, -rc, -rd, -rb, for regex matching on the source, target, object class, default, and Boolean.

sediff

Because of the simplified policy handling, the ; is not needed on the command line.

SETools 3:

$ sediff old-policy.30 \; new-policy.30

SETools 4:

$ sediff old-policy.30 new-policy.30
  • The -A option will now diff allowxperm rules, in addition to allow rules.
  • The -q option has been removed. Now sediff will now always behave like the old -q flag, only printing headers if there is a difference or if the component is explicitly requested. For example, the header for allow rules will always be printed, even if there are no differences, if the --allow option is specified. If all differences are requested, only headers for components that have differences will be printed.

Graphical Differences

apol was completely redesigned with the Qt graphics toolkit. The changes from SETools v3 are too numerous to list here. The highlights are:

  • The organization is simplified into a single top-level tab bar, with single menu of analysis options to choose.
  • Different types of analysis tabs can be opened side by side.
  • Analysis tabs can be renamed to make working on a large analysis easier.
  • In each analysis tab:
    • Where relevant, there is a table-based view of the analysis results, with sorting.
    • The criteria can be hidden by unchecking a checkbox.
    • There is a notes field for taking notes on results.

Testing Differences

The SETools source code tree now provides automated tests for verifying correctness of the library functions. Additionally, during development, the TravisCI continuous integration service is used so tests are checked each time code is pushed to the repository. The 4.0.0 release has 95% test coverage.