1segraph_query(1) SELinux Policy Analysis Tool segraph_query(1)
2
6 segraph_query - SELinux policy analysis tool
7
9 segraph_query [-h] [-d POLICY_GRAPH2] POLICY_GRAPH QUERY_FUNCTIONS
10
13 Analyses policy graph using given query functions.
14 Available query functions:
17 write_executable
19 Finds all types corresponding to executables, that can be
20 written to. Lists dictionary with execuatable types as
21 keys and types with write permission as values.
22 transition_write
24 Finds domain transitions via entrypoints that can be
25 rewritten by source domain. This effectively increases
26 reach of source domain by access rights of target domain.
27 Lists triplets of (source domain, target domain, entry‐
28 point)
29 write_to_security
31 Find domains that are allowed write access to "security
32 related" types. Lists domains with the specified write
33 access and lists of affected types (security types that
34 can be written to)
35
37 Positional arguments:
38 POLICY_GRAPH
39 Policy graph file
40 QUERY_FUNCTIONS
42 Comma separated list of query functions to be executed
43 Optional arguments:
45 -h, --help
46 Show help message and exit
47 -d POLICY_GRAPH2, --diff POLICY_GRAPH2
49 Another policy graph file for comparison
50
52 Check a policy graph (created using sebuild_graph) with write_exe‐
53 cutable function:
54 $ graph_query.py graph write_executable
56 Show consequences of change in policy (graph2 was created after the
58 change):
59 $ segraph_query graph2 write_executable,transition_write,write_to_security -d graph
61
65 sebuild_graph(1)
66
68 Vit Mojzis <vmojzis@redhat.com>
69 2017-02-09 segraph_query(1)