sechecker(1) - SELinux policy checking tool



  • sechecker(1)		    General Commands Manual		  sechecker(1)
    
    
    
    NAME
           sechecker - SELinux policy checking tool
    
    SYNOPSIS
           sechecker [OPTIONS] -p profile [POLICY ...]
           sechecker [OPTIONS] -m module [POLICY ...]
           sechecker [OPTIONS] -p profile -m module [POLICY ...]
    
    DESCRIPTION
           sechecker  allows  the  user  to perform predefined modular checks on a
           SELinux policy.	Profiles exist to group	 modules  together  and	 allow
           modification of module settings (see below).
    
    POLICY
           sechecker supports loading a SELinux policy in one of four formats.
    
           source A	 single	 text  file  containing	 policy source for versions 12
    	      through 21. This file is usually named policy.conf.
    
           binary A single file containing a monolithic kernel binary  policy  for
    	      versions	15 through 21. This file is usually named by version -
    	      for example, policy.20.
    
           modular
    	      A list of policy packages each containing a loadable policy mod‐
    	      ule. The first module listed must be a base module.
    
           policy list
    	      A single text file containing all the information needed to load
    	      a policy, usually exported by SETools graphical utilities.
    
           If no policy file is provided, sechecker will  search  for  the	system
           default	policy:	 checking first for a source policy, next for a binary
           policy matching the running kernel's preferred version, and finally for
           the  highest version that can be found.	In the latter case, the policy
           will be downgraded to match the running system.	If no  policy  can  be
           found, sechecker will print an error message and exit.
    
    OPTIONS
           -p PROFILE, --profile=PROFILE
    	      Load module settings from a module profile.  The settings in the
    	      profile will override the default	 settings  for	all  specified
    	      modules.	 If  specified without -m, run all modules in the pro‐
    	      file.  PROFILE may either be the name of a  known	 profile  (see
    	      --list)  or  the	path  to  a user created profile.  see PROFILE
    	      OPTIONS below for more information about creating profiles.
    
           -m MODULE, --module=MODULE
    	      Run only the module named MODULE (see --list).
    
           --min-sev=SEVERITY
    	      Report only results  with	 the  minimum  severity	 of  SEVERITY.
    	      SEVERITY must have one of the following values:
    
    	      low    The  module's  results indicate a flaw in the policy that
    		     does not  affect  the  manner  in	which  the  policy  is
    		     enforced, but is considered to be improper.
    
    	      med    The  module's  results indicate a flaw in the policy that
    		     changes the manner in which the policy is enforced;  how‐
    		     ever, it does not present an identifiable security risk.
    
    	      high   The  module's  results indicate a flaw in the policy that
    		     presents an identifiable security risk.
    
           --fcfile=FILE
    	      Use FILE for  the	 file_contexts	file  instead  of  the	system
    	      default.	 This flag is only applicable if sechecker was config‐
    	      ured with the --enable-sefs flag.
    
           -l, --list
    	      Print a list of the name and a brief description	of  all	 known
    	      profiles and modules and exit.
    
           -h[MODULE], --help[=MODULE]
    	      Print general help information and exit.	If MODULE is provided,
    	      print help information for the module named MODULE and exit.
    
           -V, --version
    	      Print version information and exit.
    
       REPORT GENERATION OPTIONS
           Only one of the following may be provided to specify the length of  the
           report  for  all modules.  If provided, this option overrides both pro‐
           file and module default output settings.
    
           -q, --quiet
    	      suppress output
    
           -s, --short
    	      print short output
    
           -v, --verbose
    	      print verbose output
    
    PROFILE OPTIONS
           Profiles are used to group modules together, to specify the output for‐
           mat  for each module in the report, and to provide the ability to over‐
           ride the modules' default options.  Each profile is a  well-formed  XML
           document, as specified by the DTD installed with sechecker.  An example
           profile follows:
    
           <sechecker version="1.1">
    	    <profile>
    		 <module name="find_domains">
    		      <output value="quiet"/>
    		      <option name="domain_attribute">
    			   <item value="domain"/>
    			   <item value="user_domain"/>
    			   ...
    		      </option>
    		 </module>
    		 ...
    	    </profile>
           </sechecker>
    
           The example profile specifies the output property for the  find_domains
           module.	 The  example profile also overrides the default value for the
           "domain_attribute" option in the find_domains module.
    
       PROFILE OUTPUT OPTIONS
           The valid output values for each module are specified below:
    
           verbose
    	      Print each result in the report with accompanying proof(s).
    
           short  Print a list of results with no accompanying proof.
    
           none   Do not print output from this module  in	the  report;  however,
    	      module errors will still be printed.
    
           quiet  Do  not  print  output from this module in the report and do not
    	      print errors. This is useful for utility modules for  which  the
    	      calling module handles any errors.
    
       PROFILE MODULE OPTIONS
           Several modules provide one or more options that can be set from a pro‐
           file.  Each option has one or more items.  To check  what  options  are
           available  for  a module use --help=MODULE, where MODULE is the name of
           the module as printed by --list.
    
    AUTHOR
           This manual page was written by Jeremy A. Mowery <[email protected]>.
    
    COPYRIGHT
           Copyright(C) 2005-2008 Tresys Technology, LLC
    
    BUGS
           Please report bugs via an email to [email protected].
    
    SEE ALSO
           apol(1)
    
    
    
    								  sechecker(1)
    

Log in to reply
 

© Lightnetics 2024