5. sesearch - SELinux policy query tool

sesearch - SELinux policy query tool 


  • sesearch(1)		    General Commands Manual		   sesearch(1)



NAME
       sesearch - SELinux policy query tool

SYNOPSIS
       sesearch [OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPRESSION] [POLICY ...]

DESCRIPTION
       sesearch allows the user to search the rules in a SELinux policy.

POLICY
       sesearch supports loading a SELinux policy in one of four formats.

       source A	 single	 text  file  containing	 policy source for versions 12
	      through 21. This file is usually named policy.conf.

       binary A single file containing a monolithic kernel binary  policy  for
	      versions	15 through 21. This file is usually named by version -
	      for example, policy.20.

       modular
	      A list of policy packages each containing a loadable policy mod‐
	      ule. The first module listed must be a base module.

       policy list
	      A single text file containing all the information needed to load
	      a policy, usually exported by SETools graphical utilities.

       If no policy file is provided, sesearch	will  search  for  the	system
       default	policy:	 checking first for a source policy, next for a binary
       policy matching the running kernel's preferred version, and finally for
       the  highest version that can be found.	In the latter case, the policy
       will be downgraded to match the running system.	If no  policy  can  be
       found, sesearch will print an error message and exit.

RULE TYPE OPTIONS
       sesearch	 is capable of searching multiple types of rules. At least one
       of the following must be provided to specify  the  desired  type(s)  of
       rules to search.

       -A, --allow
	      Search for allow rules.

       --neverallow
	      Search for neverallow rules.

       --auditallow
	      Search for auditallow rules.

       -D, --dontaudit
	      Search for dontaudit rules.

       -T, --type
	      Search for type_transition, type_member, and type_change rules.

       --role_allow
	      Search for role allow rules.

       --role_trans
	      Search for role_transition rules.

       --range_trans
	      Search for range_transition rules.

       --all  Search all rule types.

EXPRESSIONS
       The  user  may  specify	an  expression	containing  values for a given
       field(s) in a rule.  Only those fields applicable to a given rule  type
       will  be	 used;	all  other  fields  will  be  ignored.	 (For example,
       type_transition rules  will  ignore  the	 permissions  field.)	If  no
       expression  is  specified or if none of the specified fields apply to a
       given rule type, all rules of that type are  considered	to  match  the
       expression.

       -s NAME, --source=NAME
	      Find rules with type/attribute NAME as their source.

       -t NAME, --target=NAME
	      Find rules with type/attribute NAME as their target.

       -D NAME, --default=NAME
	      Find rules with type NAME as their default.

       --role_source=NAME
	      Find rules with role NAME as their source.

       --role_target=NAME
	      Find rules with role NAME as their target.

       -c NAME, --class=NAME
	      Find rules with class NAME as their object class.

       -p P1[,P2,...] --perm=P1[,P2...]
	      Find rules with at least one of the specified permissions.  Mul‐
	      tiple permissions may be specified as a comma separated list; it
	      is  recommended  that this list be quoted for shells that inter‐
	      pret comma as a special character.

       -b NAME, --bool=NAME
	      Find conditional rules with NAME in  their  conditional  expres‐
	      sion.  This option will include rules in both the true and false
	      lists of the conditional.

OPTIONS
       The following additional options exist to modify how the search is per‐
       formed and the amount of information printed for each result.

       -d, --direct
	      Normally	rules  are matched using the type given or any of that
	      type's attributes (or an attribute's  types).   This  "indirect"
	      matching	also  considers	 types	used in complemented sets, the
	      special set "*", and the special target "self".  When the direct
	      flag  is	given,	matching  is  done  literally.	 The rule must
	      explicitly contain the given type (or attribute) for  it	to  be
	      returned.

       -R, --regex
	      Use  regular expressions to match symbol names.  By default only
	      exact string matches will be considered.

       -n, --linenum
	      Print the line number for each rule.  This option is ignored  if
	      using the --semantic option or if line numbers are not available
	      for the given policy.

       -S, --semantic
	      Search rules semantically instead of syntactically. This	option
	      is implied for policies for which syntactic rules are not avail‐
	      able.

       -C, --show_cond
	      Print the conditional expression and state for  all  conditional
	      rules found.  This option has no effect on unconditional rules.

       -h, --help
	      Print help information and exit.

       -V, --version
	      Print version information and exit.

AUTHOR
       This manual page was written by Jeremy A. Mowery <[email protected]>.

COPYRIGHT
       Copyright(C) 2003-2008 Tresys Technology, LLC

BUGS
       Please report bugs via an email to [email protected].

SEE ALSO
       seinfo(1), apol(1)



								   sesearch(1)
redhat manpages 308
Log in to reply
 

© Lightnetics 2024