seinfoflow(1)

1seinfoflow(1)       SETools: SELinux Policy Analysis Tools       seinfoflow(1)
2
3
4

NAME

6       seinfoflow - Information flow analysis for SELinux policies
7
8

SYNOPSIS

10       seinfoflow  [OPTIONS]  -m  MAP -s SOURCE [-t TARGET (-S|-A LIMIT)] [EX‐
11       CLUDE [EXCLUDE ...]]
12
13

DESCRIPTION

15       seinfoflow is a command line tool that allows the user to  perform  in‐
16       formation flow analyses on an SELinux policy.
17
18

POLICY

20       A single file containing a binary policy. This file is usually named by
21       version on Linux systems, for example, policy.30. This file is  usually
22       named  sepolicy on Android systems.  If no policy file is provided, se‐
23       infoflow will search for the policy running on the current  system.  If
24       no  policy  can  be  found,  seinfoflow will print an error message and
25       exit.
26
27

OPTIONS

29   Analysis Settings
30       -p POLICY
31              Specify the policy to analyze. If none is specified,  seinfoflow
32              will search for the policy running on the current system.
33
34       -m MAP Specify the path to the permission map file to use in the infor‐
35              mation flow analysis.
36
37       -s SOURCE
38              Specify the source type to use in the information flow analysis.
39
40       -t TARGET
41              Specify the target type to use in the information flow analysis.
42              Using this option will also require specifying an analysis algo‐
43              rithm.
44
45
46   Analysis Algorithms
47       seinfoflow uses graph algorithms to analyze the information flow  paths
48       of  an SELinux policy.  The following algorithms are options for deter‐
49       mining paths from a source type to a target type.
50
51       -S     Print the shortest information flow path(s) from the source type
52              to the target type.  If multiple paths have the same length, all
53              will be displayed.
54
55       -A LIMIT
56              Print all information flow path(s) up to LIMIT steps long.   De‐
57              pending  on  the  connectiveness  of the policy, a limit of 5 or
58              more may be extremely expensive.
59
60
61   Analysis Options
62       -w MIN_WEIGHT
63              Specify the minimum permission weight to consider for the analy‐
64              sis (1-10). The default is 3.
65
66       -l LIMIT_FLOWS
67              Specify  the  maximum number of information flows to output. The
68              default is unlimited.
69
70       EXCLUDE
71              A space-separated list of types to exclude from the analysis.
72
73
74   General Options
75       -r, --reverse
76              Display information flows into the source type. No effect  if  a
77              target type is specified.
78
79       --stats
80              Print information flow graph statistics at the end of the analy‐
81              sis.
82
83       -h, --help
84              Print help information and exit.
85
86       --full Print full rule lists for information flows.
87
88       --version
89              Print version information and exit.
90
91       -v, --verbose
92              Print additional informational messages.
93
94       --debug
95              Enable debugging output.
96
97

EXAMPLE

99       Show the shortest paths for process running as httpd_t to access user home files, using the default permission map:
100       # seinfoflow -s httpd_t -t user_home_t -S
101       List all data paths shorter than 3 steps from smbd_t to httpd_log_t, when samba_enable_home_dirs and samba_create_home_dirs booleans are enabled
102       # seinfoflow -s smbd_t -t user_home_t -A 3 -b "samba_enable_home_dirs:true,samba_create_home_dirs:true"
103
104

AUTHOR

106       Chris PeBenito <pebenito@ieee.org>
107
108

BUGS

110       Please    report    bugs    via    the     SETools     bug     tracker,
111       https://github.com/SELinuxProject/setools/issues
112
113