1sesearch(1)                 General Commands Manual                sesearch(1)
2
3
4

NAME

6       sesearch - SELinux policy query tool
7

SYNOPSIS

9       sesearch [OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPRESSION] [POLICY ...]
10

DESCRIPTION

12       sesearch allows the user to search the rules in a SELinux policy.
13

POLICY

15       sesearch supports loading a SELinux policy in one of four formats.
16
17       source A  single  text  file  containing  policy source for versions 12
18              through 21. This file is usually named policy.conf.
19
20       binary A single file containing a monolithic kernel binary  policy  for
21              versions  15 through 21. This file is usually named by version -
22              for example, policy.20.
23
24       modular
25              A list of policy packages each containing a loadable policy mod‐
26              ule. The first module listed must be a base module.
27
28       policy list
29              A single text file containing all the information needed to load
30              a policy, usually exported by SETools graphical utilities.
31
32       If no policy file is provided, sesearch  will  search  for  the  system
33       default  policy:  checking first for a source policy, next for a binary
34       policy matching the running kernel's preferred version, and finally for
35       the  highest  version  that  can  be found.  If no policy can be found,
36       sesearch will print an error message and exit.
37

RULE TYPE OPTIONS

39       sesearch is capable of searching multiple types of rules. At least  one
40       of  the  following  must  be provided to specify the desired type(s) of
41       rules to search.
42
43       -A, --allow
44              Search for allow rules.
45
46       --neverallow
47              Search for neverallow rules.
48
49       --auditallow
50              Search for auditallow rules.
51
52       --dontaudit
53              Search for dontaudit rules.
54
55       -T, --type
56              Search for type_transition, type_member, and type_change rules.
57
58       --role_allow
59              Search for role allow rules.
60
61       --role_trans
62              Search for role_transition rules.
63
64       --range_trans
65              Search for range_transition rules.
66
67       --all  Search all rule types.
68

EXPRESSIONS

70       The user may specify  an  expression  containing  values  for  a  given
71       field(s)  in a rule.  Only those fields applicable to a given rule type
72       will be  used;  all  other  fields  will  be  ignored.   (For  example,
73       type_transition  rules  will  ignore  the  permissions  field.)   If no
74       expression is specified or if none of the specified fields apply  to  a
75       given  rule  type,  all  rules of that type are considered to match the
76       expression.
77
78       -s NAME, --source=NAME
79              Find rules with type/attribute NAME as their source.
80
81       -t NAME, --target=NAME
82              Find rules with type/attribute NAME as their target.
83
84       --role_source=NAME
85              Find rules with role NAME as their source.
86
87       --role_target=NAME
88              Find rules with role NAME as their target.
89
90       -c NAME, --class=NAME
91              Find rules with class NAME as their object class.
92
93       -p P1[,P2,...] --perm=P1[,P2...]
94              Find rules with at least one of the specified permissions.  Mul‐
95              tiple permissions may be specified as a comma separated list; it
96              is recommended that this list be quoted for shells  that  inter‐
97              pret comma as a special character.
98
99       -b NAME, --bool=NAME
100              Find  conditional  rules  with NAME in their conditional expres‐
101              sion.  This option will include rules in both the true and false
102              lists of the conditional.
103

OPTIONS

105       The following additional options exist to modify how the search is per‐
106       formed and the amount of information printed for each result.
107
108       -d, --direct
109              Normally rules are matched using the type given or any  of  that
110              type's  attributes  (or  an attribute's types).  This "indirect"
111              matching also considers types used  in  complemented  sets,  the
112              special set "*", and the special target "self".  When the direct
113              flag is given,  matching  is  done  literally.   The  rule  must
114              explicitly  contain  the  given type (or attribute) for it to be
115              returned.
116
117       -R, --regex
118              Use regular expressions to match symbol names.  By default  only
119              exact string matches will be considered.
120
121       -n, --linenum
122              Print  the line number for each rule.  This option is ignored if
123              using the --semantic option or if line numbers are not available
124              for the given policy.
125
126       -S, --semantic
127              Search  rules semantically instead of syntactically. This option
128              is implied for policies for which syntactic rules are not avail‐
129              able.
130
131       -C, --show_cond
132              Print  the  conditional expression and state for all conditional
133              rules found.  This option has no effect on unconditional rules.
134
135       -h, --help
136              Print help information and exit.
137
138       -V, --version
139              Print version information and exit.
140

AUTHOR

142       This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.
143

COPYRIGHT

145       Copyright(C) 2003-2007 Tresys Technology, LLC
146

BUGS

148       Please report bugs via an email to setools-bugs@tresys.com.
149

SEE ALSO

151       seinfo(1), apol(1)
152
153
154
155                                                                   sesearch(1)