NAME
sesearch - SELinux policy query tool
SYNOPSIS
sesearch [OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPRESSION] [POLICY ...]
DESCRIPTION
sesearch allows the user to search the rules in a SELinux policy.
POLICY
sesearch supports loading a SELinux policy in one of four formats.
source A single text file containing policy source for versions 12
through 21. This file is usually named policy.conf.
binary A single file containing a monolithic kernel binary policy for
versions 15 through 21. This file is usually named by version -
for example, policy.20.
modular
A list of policy packages each containing a loadable policy
module. The first module listed must be a base module.
policy list
A single text file containing all the information needed to load
a policy, usually exported by SETools graphical utilities.
If no policy file is provided, sesearch will search for the system
default policy: checking first for a source policy, next for a binary
policy matching the running kernel’s preferred version, and finally for
the highest version that can be found. In the latter case, the policy
will be downgraded to match the running system. If no policy can be
found, sesearch will print an error message and exit.
RULE TYPE OPTIONS
sesearch is capable of searching multiple types of rules. At least one
of the following must be provided to specify the desired type(s) of
rules to search.
-A, --allow
Search for allow rules.
--neverallow
Search for neverallow rules.
--auditallow
Search for auditallow rules.
--dontaudit
Search for dontaudit rules.
-T, --type
Search for type_transition, type_member, and type_change rules.
--role_allow
Search for role allow rules.
--role_trans
Search for role_transition rules.
--range_trans
Search for range_transition rules.
--all Search all rule types.
EXPRESSIONS
The user may specify an expression containing values for a given
field(s) in a rule. Only those fields applicable to a given rule type
will be used; all other fields will be ignored. (For example,
type_transition rules will ignore the permissions field.) If no
expression is specified or if none of the specified fields apply to a
given rule type, all rules of that type are considered to match the
expression.
-s NAME, --source=NAME
Find rules with type/attribute NAME as their source.
-t NAME, --target=NAME
Find rules with type/attribute NAME as their target.
--role_source=NAME
Find rules with role NAME as their source.
--role_target=NAME
Find rules with role NAME as their target.
-c NAME, --class=NAME
Find rules with class NAME as their object class.
-p P1[,P2,...] --perm=P1[,P2...]
Find rules with at least one of the specified permissions.
Multiple permissions may be specified as a comma separated list;
it is recommended that this list be quoted for shells that
interpret comma as a special character.
-b NAME, --bool=NAME
Find conditional rules with NAME in their conditional
expression. This option will include rules in both the true and
false lists of the conditional.
OPTIONS
The following additional options exist to modify how the search is
performed and the amount of information printed for each result.
-d, --direct
Normally rules are matched using the type given or any of that
type’s attributes (or an attribute’s types). This "indirect"
matching also considers types used in complemented sets, the
special set "*", and the special target "self". When the direct
flag is given, matching is done literally. The rule must
explicitly contain the given type (or attribute) for it to be
returned.
-R, --regex
Use regular expressions to match symbol names. By default only
exact string matches will be considered.
-n, --linenum
Print the line number for each rule. This option is ignored if
using the --semantic option or if line numbers are not available
for the given policy.
-S, --semantic
Search rules semantically instead of syntactically. This option
is implied for policies for which syntactic rules are not
available.
-C, --show_cond
Print the conditional expression and state for all conditional
rules found. This option has no effect on unconditional rules.
-h, --help
Print help information and exit.
-V, --version
Print version information and exit.
AUTHOR
This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.
COPYRIGHT
Copyright(C) 2003-2008 Tresys Technology, LLC
BUGS
Please report bugs via an email to setools-bugs@tresys.com.
SEE ALSO
seinfo(1), apol(1)
sesearch(1)