Man Linux: Main Page and Category List

NAME

       sesearch - SELinux policy query tool

SYNOPSIS

       sesearch  [OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPRESSION] [POLICY ...]

DESCRIPTION

       sesearch allows the user to search the rules in a SELinux policy.

POLICY

       sesearch supports loading a SELinux policy in one of four formats.

       source A single text file containing  policy  source  for  versions  12
              through 21. This file is usually named policy.conf.

       binary A  single  file containing a monolithic kernel binary policy for
              versions 15 through 21. This file is usually named by version  -
              for example, policy.20.

       modular
              A  list  of  policy  packages  each containing a loadable policy
              module. The first module listed must be a base module.

       policy list
              A single text file containing all the information needed to load
              a policy, usually exported by SETools graphical utilities.

       If  no  policy  file  is  provided, sesearch will search for the system
       default policy: checking first for a source policy, next for  a  binary
       policy matching the running kernel’s preferred version, and finally for
       the highest version that can be found.  In the latter case, the  policy
       will  be  downgraded  to match the running system.  If no policy can be
       found, sesearch will print an error message and exit.

RULE TYPE OPTIONS

       sesearch is capable of searching multiple types of rules. At least  one
       of  the  following  must  be provided to specify the desired type(s) of
       rules to search.

       -A, --allow
              Search for allow rules.

       --neverallow
              Search for neverallow rules.

       --auditallow
              Search for auditallow rules.

       --dontaudit
              Search for dontaudit rules.

       -T, --type
              Search for type_transition, type_member, and type_change  rules.

       --role_allow
              Search for role allow rules.

       --role_trans
              Search for role_transition rules.

       --range_trans
              Search for range_transition rules.

       --all  Search all rule types.

EXPRESSIONS

       The  user  may  specify  an  expression  containing  values for a given
       field(s) in a rule.  Only those fields applicable to a given rule  type
       will  be  used;  all  other  fields  will  be  ignored.   (For example,
       type_transition rules  will  ignore  the  permissions  field.)   If  no
       expression  is  specified or if none of the specified fields apply to a
       given rule type, all rules of that type are  considered  to  match  the
       expression.

       -s NAME, --source=NAME
              Find rules with type/attribute NAME as their source.

       -t NAME, --target=NAME
              Find rules with type/attribute NAME as their target.

       --role_source=NAME
              Find rules with role NAME as their source.

       --role_target=NAME
              Find rules with role NAME as their target.

       -c NAME, --class=NAME
              Find rules with class NAME as their object class.

       -p P1[,P2,...] --perm=P1[,P2...]
              Find  rules  with  at  least  one  of the specified permissions.
              Multiple permissions may be specified as a comma separated list;
              it  is  recommended  that  this  list  be quoted for shells that
              interpret comma as a special character.

       -b NAME, --bool=NAME
              Find  conditional  rules  with   NAME   in   their   conditional
              expression.  This option will include rules in both the true and
              false lists of the conditional.

OPTIONS

       The following additional options exist to  modify  how  the  search  is
       performed and the amount of information printed for each result.

       -d, --direct
              Normally  rules  are matched using the type given or any of that
              type’s attributes (or an attribute’s  types).   This  "indirect"
              matching  also  considers  types  used in complemented sets, the
              special set "*", and the special target "self".  When the direct
              flag  is  given,  matching  is  done  literally.   The rule must
              explicitly contain the given type (or attribute) for  it  to  be
              returned.

       -R, --regex
              Use  regular expressions to match symbol names.  By default only
              exact string matches will be considered.

       -n, --linenum
              Print the line number for each rule.  This option is ignored  if
              using the --semantic option or if line numbers are not available
              for the given policy.

       -S, --semantic
              Search rules semantically instead of syntactically. This  option
              is  implied  for  policies  for  which  syntactic  rules are not
              available.

       -C, --show_cond
              Print the conditional expression and state for  all  conditional
              rules  found.  This option has no effect on unconditional rules.

       -h, --help
              Print help information and exit.

       -V, --version
              Print version information and exit.

AUTHOR

       This manual page was written by Jeremy A. Mowery  <jmowery@tresys.com>.

COPYRIGHT

       Copyright(C) 2003-2008 Tresys Technology, LLC

BUGS

       Please report bugs via an email to setools-bugs@tresys.com.

SEE ALSO

       seinfo(1), apol(1)

                                                                   sesearch(1)