11. SELinux Tools

Utility "star"
Archiving SELinux Labeled files (Backup of SELinux labeled files using "star")
    Currently "tar" is not supporting the SELinux context information backup while archiving. This tool is not installed by default. This tool is a replacement to tar in a SELinux system. "star" preserves the security context information
Usage of "star"
Will show with the following example

# mkdir /root/test

# seq 1000000 > /root/test/test_file.txt

# ls -alZ /root/test/

    Make note of the SELinux label.

# star -xattr -H=exustar -c -f teststar.star /root/test

    This will create a file called teststar.star.
Now test the above statement by extracting the file using "STAR"

# cp teststar.star /tmp && cd /tmp

# star -xattr -x -f teststar.star

# ls -alZ /test

    Now we can see the directory which had archived before and still have the preserved security Tuple. While using "TAR" this result will vary (while extracting the newly created file will gain the Tuple of parent directory)
Note:-
    The archive created by star can also be extracted by tar, but tar wont be able to read the extended attributes from the file resulting creation of extracted file without the preserved context information. Optionaly we can backup with out SELinux context information and can relay upon reinstate the SELinux context for all files using "fixfiles" or by " #touch /.autorelabel && reboot". This method is used for all the tools that are not SELinux compliant.

SELinux LOG files
What to look for in LOG files are related to denies/permission problems:
    /var/log/messages is the default AUDIT log file (This may vary according to the "kern*" parameter in syslogd.conf file), and this file stores the messages related to "avc".

# grep avc /var/log/messeges | less

    This shows the logs of SELinux activity in the system. This file logs the following events
1. usage of resources
2. relabeling file contexts
3. changing the modes (enforcing=0 & enforcing=1).
4. booleans change information
5. file system relabeled after a reboot by setting up /.autorelabel

Structure of logs while an action of denial by SELinux

avc: denied {getattr read link}(attempted operation by subject on object) for pid (the process ID) 4223 exec=/usr/sbin/httpd (executed daemon) path=/home/user/public_html(path to the object accessed by subject) scontext=user_u:system_r:httpd_t(source context information) tcontext=system_u:object:ruser_home_t(targeted context information) tclass=dir (This is the class of the object, directory or file)

    This logs are used to troubleshoot the issues with the SELinux. The problem may be initially due to the DAC or MAC both yields the logs here. So make sure the DAC permissions prior to checking MAC.

Enabling Auditing:
    This makes the SELinux more verbose in logging the information to log file. This makes easy for debugging SELinux related issues.
To enable the auditing
Modify /etc/grub.conf by appending "audit=1" to kernel boot line

# vim /etc/grub.conf

audit=1

# reboot

    Reboot the system, This makes completion of enabling the auditing.
Confirming whether auditing is enabled

# cat /proc/cmdline

ro root=LABEL=/ rhgb quiet audit=1

    This file contains the switches used to start the currently running kernel. Verify the option "audit=1".

# grep audit /var/log/messages

(This may vary according to your kernel logging location)
    Monitor the above log file. this shows audit related messages.Or information about enabling the audit

Now we will create a condition to test/witness auditing. we will use here apache for it

# /usr/sbin/run_init /etc/init.d/httpd start

# ps -ef |grep httpd

    This starts the httpd with support to SELinux.

# cd /home/user/

# chcon -R -t user_home_t public_html

    Now we have changed the type of the public_html to user_home_t, which is an incorrect label and apache cannot be accessed this file. Thus we can generate the auditing information
Verify the mode  that SELinux is running

# cat /selinux/enforce

0

    This means the SElinux is running in permissive mode, which will generate the audit information.
Note: Permissive mode will not deny subjects from accessing the objects, but generated logs.

Open the browser and access the file
http://localhost/~user/
    This will load the file.(Because we are in permissive mode)
Now switch to enforcing mode and try accessing the same url http://localhost/~user/

# echo 1 > /selinux/enforce

    This will deny the file access.
Check the log file, According to syslog.conf file It logs to /var/log/firewall.log. This can be changed
http://localhost/~user/

# grep kern* /etc/syslog.conf

# less /var/log/firewall.log

Note:-
   This default /var/log/messege file only contains the information about switching the SELinux mode, this means the auditing has been logged to some where else. The /var/log/firewall.log shows the detailed information about the SELinux activity. This makes very useful to trace out the exact problem with SELinux enabled system. We can analyze to get the information about which objects have been denied from accessing by objects. By default the auditing is disabled. It is necessery for debugging the SELinux related issues. The Log file keeps on increasing rapidly, so the log file analysis should be taken care in daily basis.

Installing SELinux Management Tools
    This tool helps in Auditing and inspecting SELinux environment. Both GUI and CLI tools are available.

Shell Based Tools
Install the package using the rpm setools-xx.rpm.
1. seinfo
    which provides useful input based on source or binary policy.

# /usr/bin/seinfo    /etc/selinux/targeted/policy/policy.18

    This will return the information about the policy. Without the path of the policy the tool fails to run.
This shows the policy that cached by "avc" and running in the system.

2. avcstat (Advanced Vector Cache Stat)
    This tool shows the status of avc which houses the current policy, includes the information about the hits,misses, lookups etc. So we can get the sence of SELinux usage whether increased of decreased.
Installed in the location /usr/sbin/avcstat

# /usr/sbin/avcstat

lookups             hits        misses      allocs      reclaims    frees

2033982       2010020    12772        13983        140        12005

    This will return the number of lookups to avc cache, number of hits to cache. These are metrics that we have to monitor whether the system is under performing. If the number of lookups are double that the number of hits then the system will be under performing.

# /usr/sbin/avcstat 5

    This will refresh every 5 sec and shows the output.
3. sesearch
    This has the ability to search based on source type, destination type or class and search all the policy to get a match and get the conclusion that which subject related to object as per the rules.

#/usr/bin/sesearch -a -t httpd_sys_content_t /etc/selinux/targeted/polcy/policy.18

    This shows the all the rules (-a) that matches the type (-t) httpd_sys_content_t in the given policy "policy.18". This tool dumps the permissions according to the type of content we have given. So it is very useful to troubleshoot as well can be used to mimic the rules while creating the rules for new domain

#/usr/bin/sesearch -a -s httpd_t /etc/selinux/targeted/polcy/policy.18

    This shows all the rules based on the subject httpd

GUI Based Tools
1. seaudit
    This provides a way to interact with the entries that logged by SELinux into the default location /var/log/messages If the kernel logs are not logging into /var/log/messeges we have to configure the tool with the approproate file location.
Installing the tool:

#rpm -ivh setools-gui-xx.rpm

    This will install both seaudit as well apol

# seaudit -l /var/log/firewall.log -p /etc/selinux/targeted/policy/policy.18

    seaudit has to be shown the location of the log file (-l) and the location of the policy (-p) -p /etc/selinux/targeted/policy/policy.18

2. apol
      apol is a graphical tool that allows the user to inspect aspects of a SELinux security policy. The tool lets the user browse policy components (types, classes, roles, users, etc.), rules (TE, RBAC, MLS), and file system contexts. Among other capabilities, the tool provides in depth analysis of domain transitions, information flows, and relabeling permissions.