1sechecker(1) General Commands Manual sechecker(1)
2
6 sechecker - SELinux policy checking tool
7
9 sechecker [OPTIONS] -p profile [POLICY ...]
10 sechecker [OPTIONS] -m module [POLICY ...]
11 sechecker [OPTIONS] -p profile -m module [POLICY ...]
12
14 sechecker allows the user to perform predefined modular checks on a
15 SELinux policy. Profiles exist to group modules together and allow
16 modification of module settings (see below).
17
19 sechecker supports loading a SELinux policy in one of four formats.
20 source A single text file containing policy source for versions 12
22 through 21. This file is usually named policy.conf.
23 binary A single file containing a monolithic kernel binary policy for
25 versions 15 through 21. This file is usually named by version -
26 for example, policy.20.
27 modular
29 A list of policy packages each containing a loadable policy mod‐
30 ule. The first module listed must be a base module.
31 policy list
33 A single text file containing all the information needed to load
34 a policy, usually exported by SETools graphical utilities.
35 If no policy file is provided, sechecker will search for the system
37 default policy: checking first for a source policy, next for a binary
38 policy matching the running kernel's preferred version, and finally for
39 the highest version that can be found. In the latter case, the policy
40 will be downgraded to match the running system. If no policy can be
41 found, sechecker will print an error message and exit.
42
44 -p PROFILE, --profile=PROFILE
45 Load module settings from a module profile. The settings in the
46 profile will override the default settings for all specified
47 modules. If specified without -m, run all modules in the pro‐
48 file. PROFILE may either be the name of a known profile (see
49 --list) or the path to a user created profile. see PROFILE
50 OPTIONS below for more information about creating profiles.
51 -m MODULE, --module=MODULE
53 Run only the module named MODULE (see --list).
54 --min-sev=SEVERITY
56 Report only results with the minimum severity of SEVERITY.
57 SEVERITY must have one of the following values:
58 low The module's results indicate a flaw in the policy that
60 does not affect the manner in which the policy is
61 enforced, but is considered to be improper.
62 med The module's results indicate a flaw in the policy that
64 changes the manner in which the policy is enforced; how‐
65 ever, it does not present an identifiable security risk.
66 high The module's results indicate a flaw in the policy that
68 presents an identifiable security risk.
69 --fcfile=FILE
71 Use FILE for the file_contexts file instead of the system
72 default. This flag is only applicable if sechecker was config‐
73 ured with the --enable-sefs flag.
74 -l, --list
76 Print a list of the name and a brief description of all known
77 profiles and modules and exit.
78 -h[MODULE], --help[=MODULE]
80 Print general help information and exit. If MODULE is provided,
81 print help information for the module named MODULE and exit.
82 -V, --version
84 Print version information and exit.
85 REPORT GENERATION OPTIONS
87 Only one of the following may be provided to specify the length of the
88 report for all modules. If provided, this option overrides both pro‐
89 file and module default output settings.
90 -q, --quiet
92 suppress output
93 -s, --short
95 print short output
96 -v, --verbose
98 print verbose output
99
101 Profiles are used to group modules together, to specify the output for‐
102 mat for each module in the report, and to provide the ability to over‐
103 ride the modules' default options. Each profile is a well-formed XML
104 document, as specified by the DTD installed with sechecker. An example
105 profile follows:
106 <sechecker version="1.1">
108 <profile>
109 <module name="find_domains">
110 <output value="quiet"/>
111 <option name="domain_attribute">
112 <item value="domain"/>
113 <item value="user_domain"/>
114 ...
115 </option>
116 </module>
117 ...
118 </profile>
119 </sechecker>
120 The example profile specifies the output property for the find_domains
122 module. The example profile also overrides the default value for the
123 "domain_attribute" option in the find_domains module.
124 PROFILE OUTPUT OPTIONS
126 The valid output values for each module are specified below:
127 verbose
129 Print each result in the report with accompanying proof(s).
130 short Print a list of results with no accompanying proof.
132 none Do not print output from this module in the report; however,
134 module errors will still be printed.
135 quiet Do not print output from this module in the report and do not
137 print errors. This is useful for utility modules for which the
138 calling module handles any errors.
139 PROFILE MODULE OPTIONS
141 Several modules provide one or more options that can be set from a pro‐
142 file. Each option has one or more items. To check what options are
143 available for a module use --help=MODULE, where MODULE is the name of
144 the module as printed by --list.
145
147 This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.
148
150 Copyright(C) 2005-2008 Tresys Technology, LLC
151
153 Please report bugs via an email to setools-bugs@tresys.com.
154
156 apol(1)
157 sechecker(1)