A few days ago, Jason "perfinion" Zaman stabilized the 2.7 SELinux userspace on Gentoo. This release has quite a few new features, which I'll cover in later posts, but for distribution packagers the main change is that the userspace now has many more components to package. The project has split up the policycoreutils package in separate packages so that deployments can be made more specific.
Let's take a look at all the various userspace packages again, learn what their purpose is, so that you can decide if they're needed or not on a system. Also, when I cover the contents of a package, be aware that it is based on the deployment on my system, which might or might not be a complete installation (as with Gentoo, different USE flags can trigger different package deployments).
libsepol - manipulating SELinux binary policies
The first package, known in Gentoo as
sys-libs/libsepol, is the library that
enables manipulating the SELinux binary policies. This is a core library, and is
the first SELinux userspace package that is installed on a system.
It contains one command,
chkcon, which allows users to validate if a specific
security context exists within a binary policy file:
~$ chkcon policy.29 user_u:user_r:mozilla_t:s0 user_u:user_r:mozilla_t:s0 is valid
The package does contain two manpages of old commands which are no longer available (or I'm blind, either way, they're not installed and not found in the SELinux userspace repository either) such as genpolusers and genpolbools.
libselinux - the main SELinux handling library
The libselinux library, known in Gentoo as
sys-libs/libselinux, is the main SELinux
library. Almost all applications that are SELinux-aware (meaning they not only know SELinux
is a thing, but are actively modifying their behavior with SELinux-specific code) will
link to libselinux.
Because it is so core, the package also provides the necessary bindings for different scripting languages besides the standard shared objects approach, namely Python (as many SELinux related tooling is written in Python) and Ruby.
Next to the bindings and libraries, libselinux also offers quite a few executables to query and manipulate SELinux settings on the system, which are shortly described on the SELinux userspace wiki but repeated here for convenience. Most of these are meant for debugging purposes, as they are simple wrappers toward the libselinux provided functions, but some of them are often used by administrations.
avcstatgives statistics about the in-kernel access vector cache, such as number of lookups, hits and misses
compute_createqueries the kernel security server for a transition decision
compute_avqueries the kernel security server for an access vector decision
compute_relabelqueries the kernel security server for a relabel decision
compute_memberqueries the kernel security server for a labeling decision on a polyinstantiated object
security\_compute\_user()function, and orders the resulting list based on the
default\_contextsfile and per-user context files
getconlistbut only returns the first context
compute_userqueries the kernel security server fo a set of reachable user contexts from a source context
getfilecongets the context of a file by path
getpidcongets the context of a process by PID
seuserfile for the resulting SELinux user and contxt for a particular linux login and login context
getseboolgets the current state of a SELinux boolean in the SELinux security server
matchpathconqueries the active filecontext file for how a particular path should be labeled
policyversqueries the kernel security server for the maximum policy version supported
getenforcegets the enforcing state of the kernel access vector cache
sefcontext_compilegenerates binary filecontext files, optimized for fast querying
selabel_lookuplooks up what the target default context is for various classes (supporting the X related SELinux types, database types, etc.)
selabel_digestcalculates the SHA1 digest of spec files, and returns a list of the specfiles used to calculate the digest. This is used by Android.
selabel_partial_matchdetermines if a direct or partial match is possible on a file path
selabel_lookup_best_matchobtains the best matching SELinux security context for file-based operations
selinux_check_securetty_contextchecks whether a SELinux tty security context is defined as a securetty context
selinux_check_accesschecks if the source context has the access permission for the specified class on the target context
selinuxexecconreports the SELinux context for an executable
selinuxenabledreturns if SELinux is enabled or not
setfileconsets the context of a path
setenforcesets the enforcing state of the kernel access vector cache
togglesebooltoggles a SELinux boolean, but only runtime (so it does not persist across reboots)
checkpolicy - policy compiler
The checkpolicy package, known in Gentoo as
sys-apps/checkpolicy, provides two
checkmodule. Both applications are compilers
(unlike what the name implies) which build a binary SELinux policy. The main difference
between these two is that one builds a policy binary, whereas the other one builds a
SELinux module binary.
Developers don't often call these applications themselves, but use the build scripts.
For instance, the
semodule_package binary would be used to combine the binary policy
with additional files such as file contexts.
libsemanage - facilitating use of SELinux overall
The libsemanage library, known in Gentoo as
sys-libs/libsemanage, contains SELinux
supporting functions that are needed for any regular SELinux use. Whereas libselinux
would be used everywhere, even for embedded systems, libsemanage is generally not for
embedded systems but is very important for Linux systems in overall.
Most SELinux management applications that administrators come in contact with will be
linked with the libsemanage library. As can be expected, the
as offered by the
selinux-python package is one of them.
The only application that is provided by libsemanage is the
used to migrate the policy store from the
/etc/selinux to the
location. This was done with the introduction of the 2.4 userspace.
selinux-python - Python-based command-line management utilities
The selinux-python package, known in Gentoo as
sys-apps/selinux-python, is one of
the split packages that originally where part of the
policycoreutils package. It
contains the majority of management utilities that administrators use for handling
SELinux on their systems.
The most known application here is
semanage, but it contains quite a few others
sepolgengenerates an initial SELinux policy module template, and is short for the
audit2whytranslates SELinux audit messages into a description of why the access was denied. It is short for the
audit2allowgenerates SELinux policy allow/dontaudit rules from logs of denied operations
sepolgen-ifgengenerates an overview of available interfaces. This overview is used by
audit2allowto guess the right interface to use when allowing or dontauditing certain operations.
sepolicyis the SELinux policy inspection tool, allowing to query various aspects of a SELinux configuration (namely booleans, communication flows, interfaces, network information and transition information). It also provides the ability to generate skeleton policies (as described with
sepolgen) and manual pages.
chcatchanges a file's SELinux security category
sepolgen-ifgen-attr-helpergenerates an overview of attributes and attribute mappings. This overview is used by
audit2allowto guess the right attribute to use when allowing or dontauditing certain operations.
semanageis a SELinux policy management tool, allowing a multitude of operations against the SELinux policy and the configuration. This includes definition import/export, login mappings, user definitions, ports and interface management, module handling, file contexts, booleans and more.
semodule-utils - Developing SELinux modules
The semodule-utils package, known in Gentoo as
sys-apps/semodule-utils, is another split package
that originally was part of the
policycoreutils package. In it, SELinux policy module
development utilities are provided. The package is not needed for basic operations such
as loading and unloading modules though.
semodule_expandexpands a SELinux base module package into a kernel binary policy file
semodule_depsshows the dependencies between SELinux policy packages
semodule_linklinks SELinux policy module packages together into a single SELinux policy module
semodule_unpackageextracts a SELinux module into the binary policy and its associated files (such as file context definitions)
semodule_packagecombines a modular binary policy file with its associated files (such as file context definitions) into a module package
mcstrans - Translate context info in human readable names
The mcstrans package, known in Gentoo as
sys-apps/mcstrans, is another split package
that originally was part of the
policycoreutils package. In it, the MCS translation
daemon is hosted. This daemon translates the SELinux-specific context ranges, like
s0-s0:c0.c1024 to a human-readable set, like
This is a purely cosmetic approach (as SELinux internally always uses the sensitivity and category numbers) but helps when dealing with a large number of separate categories.
restorecond - Automatically resetting file contexts
The restorecond package, known in Gentoo as
sys-apps/restorecond, is another split
package that originally was part of the
policycoreutils package. It contains the
restorecond daemon, which watches over files and directories and forces the right
SELinux label on it.
This daemon was originally intended to resolve a missing feature in SELinux (having more fine-grained rules for label naming) but with the named file transition support, the need for this daemon has diminished a lot.
secilc - SELinux common intermediate language compiler
The secilc package, known in Gentoo as
sys-apps/secilc, is the CIL compiler which
builds kernel binary policies based on the passed on CIL code. Although the majority
of policy development still uses the more traditional SELinux language (and supporting
macro's from the reference policy), developers can already use CIL code for policy generation.
secilc, a final policy file can be generated through the CIL code.
selinux-dbus - SELinux DBus server
The selinux-dbus package (not packaged in Gentoo at this moment) provides a SELinux DBus
service which systems can use to query and interact with SELinux management utilities
on the system. If installed, the
org.selinux domain is used for various supported
operations (such as listing SELinux modules, through
selinux-gui - Graphical SELinux settings manager
The selinux-gui package (not packaged in Gentoo at this moment) provides the
system-config-selinux application which offers basic SELinux management support
in a graphical application. It supports boolean handling, file labeling, user mapping,
SELinux user management, network port definitions and module handling. As such, it can
be seen as the graphical helper utility for the
selinux-sandbox - Sandbox utility utilizing SELinux sandbox domains
The selinux-sandbox package (not packaged in Gentoo at this moment) is a set of scripts
to facilitate the creation of SELinux sandboxes. With these utilities, which not only
use SELinux sandbox domains like
sandbox_t but also Linux namespaces, end users can
launch applications in a restricted environment.
policycoreutils - Core SELinux management utilities
The policycoreutils package, known in Gentoo as
basic SELinux tooling which is necessary to handle SELinux in a regular environment.
Supported utilities are:
newroleto switch a user session from one role to another
seconto query the SELinux context of a file, program or user input
genhomedirconto regenerate home directory context files, necessary when new users are defined on the system
setfilesto set SELinux file security contexts on resources
semoduleto list, load and unload SELinux modules
run_initto launch an init script in the right domain
open_init_ptyto run a program under a pseudo terminal with the right context set
sestatusto query current policy status
setseboolto set and, if wanted, persist a SELinux boolean value
selinuxconfigto display the current active configuration paths
restoreconto set SELinux file security contexts on resources
load_policyto load the SELinux policy, generally called from initramfs systems if the init system is not SELinux-aware
security.restorecon_lastextended attribute which is set by
Gentoo also adds in two additional scripts:
rlpkg to reset file contexts on files provided by a Gentoo package
selocal to easily handle small SELinux rule additions to the active policy
There are even more
Attentive readers will notice that the
setools package is not discussed here. This package
is not provided by the SELinux userspace project, but is an important package for SELinux
policy developers as it contains the
sesearch command - an often used command to query
the active policy.
The above list is thus a picture of the SELinux userspace utilities, which is becoming
quite a big application set now that some functionality is split off from the