NAME
seinfo - SELinux policy query tool
SYNOPSIS
seinfo [OPTIONS] [EXPRESSION] [POLICY ...]
DESCRIPTION
seinfo allows the user to query the components of a SELinux policy.
POLICY
seinfo supports loading a SELinux policy in one of four formats.
source A single text file containing policy source for versions 12
through 21. This file is usually named policy.conf.
binary A single file containing a monolithic kernel binary policy for
versions 15 through 21. This file is usually named by version -
for example, policy.20.
modular
A list of policy packages each containing a loadable policy
module. The first module listed must be a base module.
policy list
A single text file containing all the information needed to load
a policy, usually exported by SETools graphical utilities.
If no policy file is provided, seinfo will search for the system
default policy: checking first for a source policy, next for a binary
policy matching the running kernel’s preferred version, and finally for
the highest version that can be found. In the latter case, the policy
will be downgraded to match the running system. If no policy can be
found, seinfo will print an error message and exit.
EXPRESSIONS
One or more of the following component types can be queried. Each
option may only be specified once. If an option is provided multiple
times, the last instance will be used. Some components support the -x
flag to print expanded information about that component; if a
particular component specified does not support expanded information,
the flag will be ignored for that component (see -x below). If no
expressions are provided, policy statistics will be printed (see
--stats below).
-c[NAME], --class[=NAME]
Print a list of object classes or, if NAME is provided, print
the object class NAME. With -x, print a list of permissions for
each displayed object class.
--sensitivity[=NAME]
Print a list of sensitivities or, if NAME is provided, print the
sensitivity NAME. With -x, print the corresponding level
statement for each displayed sensitivity.
--category[=NAME]
Print a list of categories or, if NAME is provided, print the
category NAME. With -x, print a list of sensitivities with
which each displayed category may be associated.
-t[NAME], --type[=NAME]
Print a list of types (not including aliases or attributes) or,
if NAME is provided, print the type NAME. With -x, print a list
of attributes which include each displayed type.
-a[NAME], --attribute[=NAME]
Print a list of type attributes or, if NAME is provided, print
the attribute NAME. With -x, print a list of types assigned to
each displayed attribute.
-r[NAME], --role[=NAME]
Print a list of roles or, if NAME is provided, print the role
NAME. With -x, print a list of types assigned to each displayed
role.
-u[NAME], --user[=NAME]
Print a list of users or, if NAME is provided, print the user
NAME. With -x, print a list of roles assigned to each displayed
user.
-b[NAME], --bool[=NAME]
Print a list of conditional booleans or, if NAME is provided,
print the boolean NAME. With -x, print the default state of
each displayed conditional boolean.
--initialsid[=NAME]
Print a list of initial SIDs or, if NAME is provided, print the
initial SID NAME. With -x, print the context assigned to each
displayed SID.
--fs_use[=TYPE]
Print a list of fs_use statements or, if TYPE is provided, print
the statement for filesystem TYPE. There is no expanded
information for this component.
--genfscon[=TYPE]
Print a list of genfscon statements or, if TYPE is provided,
print the statement for the filesystem TYPE. There is no
expanded information for this component.
--netifcon[=NAME]
Print a list of netif contexts or, if NAME is provided, print
the statement for interface NAME. There is no expanded
information for this component.
--nodecon[=ADDR]
Print a list of node contexts or, if ADDR is provided, print the
statement for the node with address ADDR. There is no expanded
information for this component.
--portcon[=PORT]
Print a list of port contexts or, if PORT is provided, print the
statement for port PORT. There is no expanded information for
this component.
--protocol=PROTO
Print only portcon statements for the protocol PROTO. This
option is ignored if portcon statements are not printed or if no
statement exists for the requested port.
--all Print all components.
OPTIONS
-x, --expand
Print additional details for each component matching the
expression. These details include the types assigned to an
attribute or role and the permissions for an object class. This
option is not available for all component types; see the
description of each component for the details this option will
provide.
--stats
Print policy statistics including policy type and version
information and counts of all components and rules.
-h, --help
Print help information and exit.
-V, --version
Print version information and exit.
AUTHOR
This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.
COPYRIGHT
Copyright(C) 2003-2008 Tresys Technology, LLC
BUGS
Please report bugs via an email to setools-bugs@tresys.com.
SEE ALSO
sesearch(1), apol(1)
seinfo(1)