1sesearch(1) SETools: SELinux Policy Analysis Tools sesearch(1)
2
6 sesearch - SELinux policy query tool
7
10 sesearch [OPTIONS] [OPTIONS] [EXPRESSION] [POLICY]
11
14 sesearch allows the user to search the rules in a SELinux policy.
15
18 sesearch supports loading SELinux policies in one of two formats.
19 source:
21 A single text file containing a monolithic policy source.
22 This file is usually named policy.conf.
23 binary:
25 A single file containing a binary policy. This file is
26 usually named by version on Linux systems, for example,
27 policy.30. This file is usually named sepolicy on Android
28 systems.
29 If no policy file is provided, sesearch will search for the policy run‐
31 ning on the current system. If no policy can be found, sesearch will
32 print an error message and exit.
33
36 The user may specify an expression containing values for a given
37 field(s) in a rule. If no expression is specified or if none of the
38 specified fields apply to a given rule type, all rules of that type are
39 considered to match the expression.
40 Type Enforcement Rule Types
43 -A Find allow and allowxperm rules.
44 --allow
46 Find allow rules.
47 --auditallow
49 Find auditallow rules.
50 --dontaudit
52 Find dontaudit rules.
53 --neverallow
55 Find neverallow rules.
56 --allowxperm
58 Find allowxperm rules.
59 --auditallowxperm
61 Find auditallowxperm rules.
62 --dontauditxperm
64 Find dontauditxperm rules.
65 --neverallowxperm
67 Find neverallowxperm rules.
68 -T, --type_trans
70 Find type_transition rules.
71 --type_member
73 Find type_member rules.
74 --type_change
76 Find type_change rules.
77 RBAC Rule Types
80 --role_allow
81 Find role allow rules.
82 --role_trans
84 Find role_transition rules.
85 MLS Rule Types
88 --range_trans
89 Find range_transition rules.
90 Rule Fields
93 -s NAME, --source NAME
94 Find rules with NAME as their source type/role.
95 -t NAME, --target NAME
97 Find rules with NAME as their target type/role.
98 -D NAME, --default NAME
100 Find rules with NAME as their default type/role/level.
101 -c NAME, --class NAME
103 Find rules with NAME as their object class.
104 -p P1[,P2,...] --perm P1[,P2...]
106 Find rules with at least one of the specified permissions. Mul‐
107 tiple permissions may be specified as a comma-separated list.
108 -b BOOL[,B2,...], --bool BOOL[,B2,...]
110 Find conditional rules with the named Boolean in their condi‐
111 tional expression. Multiple Booleans may be specified as a
112 comma-separated list. This option will include rules in both
113 the true and false lists of the conditional.
114 Search Options
117 The following additional options modify how the search is performed.
118 -ds A matching rule must have the specified source
120 attribute/type/role explicitly, instead of matching by attribute
121 contents.
122 -dt A matching rule must have the specified target
124 attribute/type/role explicitly, instead of matching by attribute
125 contents.
126 -eb A matching rule must have all specified Booleans, instead of
128 matching any of the specified Boolean.
129 -ep A matching rule must have all specified permissions, instead of
131 matching any of the specified permission.
132 -rs Use regular expression for matching the source type/role.
134 -rt Use regular expression for matching the target type/role.
136 -rc Use regular expression for matching the object class.
138 -rd Use regular expression for matching the default type/role.
140 -rb Use regular expression for matching Booleans.
142
145 -h, --help
146 Print help information and exit.
147 --version
149 Print version information and exit.
150 -v, --verbose
152 Print additional informational messages.
153 --debug
155 Enable debugging output.
156
159 Chris PeBenito <cpebenito@tresys.com>
160
163 Please report bugs via the SETools bug tracker,
164 https://github.com/TresysTechnology/setools/issues
165
168 apol(1), sediff(1), sedta(1), seinfo(1), seinfoflow(1)
169Tresys Technology, LLC 2016-04-19 sesearch(1)