SELinux Tools (setools), version 2.1.1
by Tresys Technology, LLC
(selinux@tresys.com, www.tresys.com/selinux)

May 17, 2005

OVERVIEW

This file describes the SELinux tools (setools) developed by Tresys. 
See the change log for details on the changes in this version. 

The tools and libraries in this release include:

1. apol: The GUI-based policy analysis tool.

2. seuser: A GUI (seuserx) and command line (seuser) user manager tool 
   for SELinux.  This is a tool that actually manages a portion of a 
   running policy (i.e., user accounts).  

3. seuser scripts: A set of shell scripts: seuseradd, seusermod, and 
   seuserdel.  These scripts combine the functions of the associated 
   user management commands (useradd etc.) with the seuser tool, to 
   provide a single interface to effectively manage all users in an 
   SELinux system.

4. seaudit: A GUI-based audit log analysis tool for Security 
   Enhanced Linux.  This tool allows you to sort and filter the audit 
   log, query the policy based on audit messages, as well as export
   audit log messages to a file. You can also create reports in HTML
   or plain-text format using an entire audit log or an seaudit view.
  
5. seaudit-report: A new command-line tool for generating reports on 
   SE Linux audit messages in plain text or HTML format.  Reports 
   generated by this tool can be configured to include standard report 
   sections such as policy load messages, enforcement toggles messages, 
   policy boolean messages, etc. A key feature of the tool is that 
   reports can be further customized through the use of saved seaudit 
   view files. This tool can effectively be used as a plugin to other 
   audit log analysis tools,  such as the LogWatch application, which 
   comes standard with Red Hat Linux. 

6. secmds: Command line tools for policy manipulation and SE Linux system
   administration. Includes:

   Two command line tools that provide a few of the features of apol 
   without the need for a GUI.  Seinfo is a command line tool for 
   looking at a SE Linux policy, and viewing various component elements 
   and statistics.  Sesearch is a command line tool to search the TE 
   rules.
   
   Two command line tools for manipulating contexts on filesystem objects. 
   Findcon allows searches for files with contexts that match a search 
   string. The search string can specify complete contexts, partial 
   contexts, and shell globbing style wildcards. Replcon provides the same 
   functionality but will then replace the context or part of the context 
   on the matched filesystem objects.
   
   Two new command line tools for creating/analyzing a snapshot of security
   contexts for SE Linux filesystem entities. Indexcon is used for indexing
   the security contexts of filesystem entities and searchcon is used for 
   searching the SE Linux filesystem database, which was created using 
   indexcon. Searchcon allows you to search for specific pathnames and/or 
   for pathnames whose label contains a particular type name and/or user 
   name. 
    

7. sepcut: A basic GUI-based policy configuration, browsing, editing, 
   and testing tool. This tool is intended to provide a complete, 
   single user interface for viewing the source files of a policy, 
   configuring policy program modules, editing policy files, and 
   making and testing the policy.

8. awish: A version of the Tcl/Tk wish interpreter that includes the 
   setools libraries.  We use this to test our GUIs (apol and seuser 
   have the interpreter compiled within them).  One could conceivably 
   write one's own GUI tools using Tcl/Tk as extended via awish.

9. libapol: The main policy analysis library, which is the core 
   library for all of our tools.

10. libseuser: The primary logic used for seuser.

11. libseaudit: The library for parsing and storing SE Linux 
    audit messages.
  
12. libsefs: The library for indexing and analyzing a snapshot of 
    security contexts for SE Linux filesystem entities.

13. sediff: A GUI (sediffx) and command line (sediff) tool to find
    the semantic difference between two SELinux policies.

Apol, sepcut, seuser, seaudit, seaudit-report, secmds, sediff,
and the seuser* shell scripts are the primary tools in this
package.  The other tool (awish) and the four libraries can serve
as building blocks for the development of additional tools.  All
of these tools and libraries are early generation, with little
maturity, and should be used with care.

See the help files for apol, sepcut, seaudit, sediff, and seuser
for specific help on using these tools.

These tools will likely have bugs (see KNOWN-BUGS for those of which 
we are aware).  Please report any new bugs or comments to 
selinux@tresys.com. Thank you.


THIS RELEASE

See the change log for a summary and history of all changes to 
setools.


COPYING

The intent is to allow free use of this source code under the GNU 
General Public License (see COPYING).  All source code is copyright 
protected and freely distributed under the GNU GPL (see COPYING). 
Absolutely no warranty is provided or implied (see COPYING).
