1seinfoflow(1)       SETools: SELinux Policy Analysis Tools       seinfoflow(1)
2
3
4

NAME

6       seinfoflow - Information flow analysis for SELinux policies
7
8

SYNOPSIS

10       seinfoflow  [OPTIONS]  -m  MAP  -s  SOURCE  [-t  TARGET  (-S|-A LIMIT)]
11       [EXCLUDE [EXCLUDE ...]]
12
13

DESCRIPTION

15       seinfoflow is a command line tool  that  allows  the  user  to  perform
16       information flow analyses on an SELinux policy.
17
18

POLICY

20       seinfoflow supports loading SELinux policies in one of two formats.
21
22              source:
23                     A single text file containing a monolithic policy source.
24                     This file is usually named policy.conf.
25
26              binary:
27                     A single file containing a binary policy.  This  file  is
28                     usually  named  by version on Linux systems, for example,
29                     policy.30. This file is usually named sepolicy on Android
30                     systems.
31
32       If  no  policy  file is provided, seinfoflow will search for the policy
33       running on the current system. If no policy can  be  found,  seinfoflow
34       will print an error message and exit.
35
36

OPTIONS

38   Analysis Settings
39       -p POLICY
40              Specify  the policy to analyze. If none is specified, seinfoflow
41              will search for the policy running on the current system.
42
43       -m MAP Specify the path to the permission map file to use in the infor‐
44              mation flow analysis.
45
46       -s SOURCE
47              Specify the source type to use in the information flow analysis.
48
49       -t TARGET
50              Specify the target type to use in the information flow analysis.
51              Using this option will also require specifying an analysis algo‐
52              rithm.
53
54
55   Analysis Algorithms
56       seinfoflow  uses graph algorithms to analyze the information flow paths
57       of an SELinux policy.  The following algorithms are options for  deter‐
58       mining paths from a source type to a target type.
59
60       -S     Print the shortest information flow path(s) from the source type
61              to the target type.  If multiple paths have the same length, all
62              will be displayed.
63
64       -A LIMIT
65              Print  all  information  flow  path(s)  up  to LIMIT steps long.
66              Depending on the connectiveness of the policy, a limit of  5  or
67              more may be extremely expensive.
68
69
70   Analysis Options
71       -w MIN_WEIGHT
72              Specify the minimum permission weight to consider for the analy‐
73              sis (1-10). The default is 3.
74
75       -l LIMIT_FLOWS
76              Specify the maximum number of information flows to  output.  The
77              default is unlimited.
78
79       EXCLUDE
80              A space-separated list of types to exclude from the analysis.
81
82
83   General Options
84       --stats
85              Print information flow graph statistics at the end of the analy‐
86              sis.
87
88       -h, --help
89              Print help information and exit.
90
91       --version
92              Print version information and exit.
93
94       -v, --verbose
95              Print additional informational messages.
96
97       --debug
98              Enable debugging output.
99
100

AUTHOR

102       Chris PeBenito <cpebenito@tresys.com>
103
104

BUGS

106       Please    report    bugs    via    the     SETools     bug     tracker,
107       https://github.com/TresysTechnology/setools/issues
108
109

SEE ALSO

111       apol(1), sediff(1), sedta(1), seinfo(1), sesearch(1)
112
113
114
115Tresys Technology, LLC            2016-02-20                     seinfoflow(1)
Impressum