1sesearch(1)                 General Commands Manual                sesearch(1)
2
3
4

NAME

6       sesearch - SELinux policy query tool
7

SYNOPSIS

9       sesearch [OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPRESSION] [POLICY ...]
10

DESCRIPTION

12       sesearch allows the user to search the rules in a SELinux policy.
13

POLICY

15       sesearch supports loading a SELinux policy in one of four formats.
16
17       source A  single  text  file  containing  policy source for versions 12
18              through 21. This file is usually named policy.conf.
19
20       binary A single file containing a monolithic kernel binary  policy  for
21              versions  15 through 21. This file is usually named by version -
22              for example, policy.20.
23
24       modular
25              A list of policy packages each containing a loadable policy mod‐
26              ule. The first module listed must be a base module.
27
28       policy list
29              A single text file containing all the information needed to load
30              a policy, usually exported by SETools graphical utilities.
31
32       If no policy file is provided, sesearch  will  search  for  the  system
33       default  policy:  checking first for a source policy, next for a binary
34       policy matching the running kernel's preferred version, and finally for
35       the  highest version that can be found.  In the latter case, the policy
36       will be downgraded to match the running system.  If no  policy  can  be
37       found, sesearch will print an error message and exit.
38

RULE TYPE OPTIONS

40       sesearch  is capable of searching multiple types of rules. At least one
41       of the following must be provided to specify  the  desired  type(s)  of
42       rules to search.
43
44       -A, --allow
45              Search for allow rules.
46
47       --neverallow
48              Search for neverallow rules.
49
50       --auditallow
51              Search for auditallow rules.
52
53       --dontaudit
54              Search for dontaudit rules.
55
56       -T, --type
57              Search for type_transition, type_member, and type_change rules.
58
59       --role_allow
60              Search for role allow rules.
61
62       --role_trans
63              Search for role_transition rules.
64
65       --range_trans
66              Search for range_transition rules.
67
68       --all  Search all rule types.
69

EXPRESSIONS

71       The  user  may  specify  an  expression  containing  values for a given
72       field(s) in a rule.  Only those fields applicable to a given rule  type
73       will  be  used;  all  other  fields  will  be  ignored.   (For example,
74       type_transition rules  will  ignore  the  permissions  field.)   If  no
75       expression  is  specified or if none of the specified fields apply to a
76       given rule type, all rules of that type are  considered  to  match  the
77       expression.
78
79       -s NAME, --source=NAME
80              Find rules with type/attribute NAME as their source.
81
82       -t NAME, --target=NAME
83              Find rules with type/attribute NAME as their target.
84
85       --role_source=NAME
86              Find rules with role NAME as their source.
87
88       --role_target=NAME
89              Find rules with role NAME as their target.
90
91       -c NAME, --class=NAME
92              Find rules with class NAME as their object class.
93
94       -p P1[,P2,...] --perm=P1[,P2...]
95              Find rules with at least one of the specified permissions.  Mul‐
96              tiple permissions may be specified as a comma separated list; it
97              is  recommended  that this list be quoted for shells that inter‐
98              pret comma as a special character.
99
100       -b NAME, --bool=NAME
101              Find conditional rules with NAME in  their  conditional  expres‐
102              sion.  This option will include rules in both the true and false
103              lists of the conditional.
104

OPTIONS

106       The following additional options exist to modify how the search is per‐
107       formed and the amount of information printed for each result.
108
109       -d, --direct
110              Normally  rules  are matched using the type given or any of that
111              type's attributes (or an attribute's  types).   This  "indirect"
112              matching  also  considers  types  used in complemented sets, the
113              special set "*", and the special target "self".  When the direct
114              flag  is  given,  matching  is  done  literally.   The rule must
115              explicitly contain the given type (or attribute) for  it  to  be
116              returned.
117
118       -R, --regex
119              Use  regular expressions to match symbol names.  By default only
120              exact string matches will be considered.
121
122       -n, --linenum
123              Print the line number for each rule.  This option is ignored  if
124              using the --semantic option or if line numbers are not available
125              for the given policy.
126
127       -S, --semantic
128              Search rules semantically instead of syntactically. This  option
129              is implied for policies for which syntactic rules are not avail‐
130              able.
131
132       -C, --show_cond
133              Print the conditional expression and state for  all  conditional
134              rules found.  This option has no effect on unconditional rules.
135
136       -h, --help
137              Print help information and exit.
138
139       -V, --version
140              Print version information and exit.
141

AUTHOR

143       This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.
144

COPYRIGHT

146       Copyright(C) 2003-2008 Tresys Technology, LLC
147

BUGS

149       Please report bugs via an email to setools-bugs@tresys.com.
150

SEE ALSO

152       seinfo(1), apol(1)
153
154
155
156                                                                   sesearch(1)