1sesearch(1)                 General Commands Manual                sesearch(1)
2
3
4

NAME

6       sesearch - SELinux policy query tool
7

SYNOPSIS

9       sesearch [OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPRESSION] [POLICY ...]
10

DESCRIPTION

12       sesearch allows the user to search the rules in a SELinux policy.
13

POLICY

15       sesearch supports loading a SELinux policy in one of four formats.
16
17       source A  single  text  file  containing  policy source for versions 12
18              through 21. This file is usually named policy.conf.
19
20       binary A single file containing a monolithic kernel binary  policy  for
21              versions  15 through 21. This file is usually named by version -
22              for example, policy.20.
23
24       modular
25              A list of policy packages each containing a loadable policy mod‐
26              ule. The first module listed must be a base module.
27
28       policy list
29              A single text file containing all the information needed to load
30              a policy, usually exported by SETools graphical utilities.
31
32       If no policy file is provided, sesearch  will  search  for  the  system
33       default  policy:  checking first for a source policy, next for a binary
34       policy matching the running kernel's preferred version, and finally for
35       the  highest version that can be found.  In the latter case, the policy
36       will be downgraded to match the running system.  If no  policy  can  be
37       found, sesearch will print an error message and exit.
38

RULE TYPE OPTIONS

40       sesearch  is capable of searching multiple types of rules. At least one
41       of the following must be provided to specify  the  desired  type(s)  of
42       rules to search.
43
44       -A, --allow
45              Search for allow rules.
46
47       --neverallow
48              Search for neverallow rules.
49
50       --auditallow
51              Search for auditallow rules.
52
53       -D, --dontaudit
54              Search for dontaudit rules.
55
56       -T, --type
57              Search for type_transition, type_member, and type_change rules.
58
59       --role_allow
60              Search for role allow rules.
61
62       --role_trans
63              Search for role_transition rules.
64
65       --range_trans
66              Search for range_transition rules.
67
68       --all  Search all rule types.
69

EXPRESSIONS

71       The  user  may  specify  an  expression  containing  values for a given
72       field(s) in a rule.  Only those fields applicable to a given rule  type
73       will  be  used;  all  other  fields  will  be  ignored.   (For example,
74       type_transition rules  will  ignore  the  permissions  field.)   If  no
75       expression  is  specified or if none of the specified fields apply to a
76       given rule type, all rules of that type are  considered  to  match  the
77       expression.
78
79       -s NAME, --source=NAME
80              Find rules with type/attribute NAME as their source.
81
82       -t NAME, --target=NAME
83              Find rules with type/attribute NAME as their target.
84
85       -D NAME, --default=NAME
86              Find rules with type NAME as their default.
87
88       --role_source=NAME
89              Find rules with role NAME as their source.
90
91       --role_target=NAME
92              Find rules with role NAME as their target.
93
94       -c NAME, --class=NAME
95              Find rules with class NAME as their object class.
96
97       -p P1[,P2,...] --perm=P1[,P2...]
98              Find rules with at least one of the specified permissions.  Mul‐
99              tiple permissions may be specified as a comma separated list; it
100              is  recommended  that this list be quoted for shells that inter‐
101              pret comma as a special character.
102
103       -b NAME, --bool=NAME
104              Find conditional rules with NAME in  their  conditional  expres‐
105              sion.  This option will include rules in both the true and false
106              lists of the conditional.
107

OPTIONS

109       The following additional options exist to modify how the search is per‐
110       formed and the amount of information printed for each result.
111
112       -d, --direct
113              Normally  rules  are matched using the type given or any of that
114              type's attributes (or an attribute's  types).   This  "indirect"
115              matching  also  considers  types  used in complemented sets, the
116              special set "*", and the special target "self".  When the direct
117              flag  is  given,  matching  is  done  literally.   The rule must
118              explicitly contain the given type (or attribute) for  it  to  be
119              returned.
120
121       -R, --regex
122              Use  regular expressions to match symbol names.  By default only
123              exact string matches will be considered.
124
125       -n, --linenum
126              Print the line number for each rule.  This option is ignored  if
127              using the --semantic option or if line numbers are not available
128              for the given policy.
129
130       -S, --semantic
131              Search rules semantically instead of syntactically. This  option
132              is implied for policies for which syntactic rules are not avail‐
133              able.
134
135       -C, --show_cond
136              Print the conditional expression and state for  all  conditional
137              rules found.  This option has no effect on unconditional rules.
138
139       -h, --help
140              Print help information and exit.
141
142       -V, --version
143              Print version information and exit.
144

AUTHOR

146       This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.
147
149       Copyright(C) 2003-2008 Tresys Technology, LLC
150

BUGS

152       Please report bugs via an email to setools-bugs@tresys.com.
153

SEE ALSO

155       seinfo(1), apol(1)
156
157
158
159                                                                   sesearch(1)
Impressum