-
Notifications
You must be signed in to change notification settings - Fork 67
Changes Since SETools v3
SETools v4 is a rewrite of SETools in Python. The most-used tools have been reimplemented:
Additionally, two new tools were added:
- seinfoflow (a command-line information flow analysis)
- sedta (a command-line domain transition analysis)
SETools' handling of policy has been simplified. Previously loading of a set of modules (*.pp
)
was supported, but this usage was atypical and ignored local customizations being applied
by semanage. Now all tools will work only on the binary (kernel) policy (e.g. policy.x
or sepolicy
)
or a monolithic policy source file (typically policy.conf
).
In general, the command line behavior of tools was retained, but there are a few minor differences,
especially due to the use of Python's argparse
command line parser. Additionally, all tools now have two
new options: -v
for more additional processing information, and --debug
for debugging information.
seinfo
's previous command line options remain the same, though there are more options due to new
SETools features. A space is now supported between the switch and their optional arguments:
seinfo -t type_t
However, the optional arguments are chosen over specifying a policy. e.g.
-
seinfo --permissive
means get all permissive types from the loaded policy. -
seinfo --permissive sepolicy
means look for a permissive type calledsepolicy
from the loaded policy -
seinfo sepolicy --permissive
means get all permissive types from thesepolicy
policy file. -
seinfo sepolicy --permissive system_server
means look or a permissive type calledsystem_server
from thesepolicy
file. -
seinfo --permissive -x sepolicy
means get all permissive types from thesepolicy
policy file and print additional info on them.
Most sesearch
behavior is the same.
- The
-A
option will now search forallowxperm
rules, in addition toallow
rules. - The
-C
option was removed as the expressions for conditional rules will always be printed. - The
-d
(directly match attributes instead of their contents) option was split into individual options for source (-ds
) and target (-dt
) so the behavior can be better controlled. - The
-r
regular expression matching option was split into options for each field (except rule type)-rs
,-rt
,-rc
,-rd
,-rb
, for regex matching on the source, target, object class, default, and Boolean.
Because of the simplified policy handling, the ;
is not needed on the command line.
SETools 3:
$ sediff old-policy.30 \; new-policy.30
SETools 4:
$ sediff old-policy.30 new-policy.30
- The
-A
option will now diffallowxperm
rules, in addition toallow
rules. - The
-q
option has been removed. Nowsediff
will now always behave like the old-q
flag, only printing headers if there is a difference or if the component is explicitly requested. For example, the header for allow rules will always be printed, even if there are no differences, if the--allow
option is specified. If all differences are requested, only headers for components that have differences will be printed.
apol
was completely redesigned with the Qt graphics toolkit. The changes from SETools v3 are too
numerous to list here. The highlights are:
- The organization is simplified into a single top-level tab bar, with single menu of analysis options to choose.
- Different types of analysis tabs can be opened side by side.
- Analysis tabs can be renamed to make working on a large analysis easier.
- In each analysis tab:
- Where relevant, there is a table-based view of the analysis results, with sorting.
- The criteria can be hidden by unchecking a checkbox.
- There is a notes field for taking notes on results.
The SETools source code tree now provides automated tests for verifying correctness of the library functions. Additionally, during development, the TravisCI continuous integration service is used so tests are checked each time code is pushed to the repository. The 4.0.0 release has 95% test coverage.