1sechecker(1)        SETools: SELinux Policy Analysis Tools        sechecker(1)
2
3
4

NAME

6       sechecker - Configuration-driven automated SELinux policy analysis
7
8

SYNOPSIS

10       sechecker [OPTIONS] config.ini [POLICY]
11
12

DESCRIPTION

14       sechecker  is an automated SELinux policy analysis tool. It uses a con‐
15       figuration file to define one or more analysis checks.
16
17

POLICY

19       A single file containing a binary policy. This file is usually named by
20       version  on Linux systems, for example, policy.30. This file is usually
21       named sepolicy on Android systems.  If not provided, sechecker will at‐
22       tempt to locate and open the current policy running on the system.
23
24

OPTIONS

26       -o <path>
27              Output the results to the specified path instead of stdout.
28
29       -h, --help
30              Print help information and exit.
31
32       --version
33              Print version information and exit.
34
35       -v, --verbose
36              Print additional informational messages.
37
38       --debug
39              Enable debugging output.
40
41

RETURN CODES

43       sechecker has the following return codes:
44
45       0      All checks passed.
46
47       1      One or more checks failed.
48
49       2      Error in the configuration file.
50
51       3      Other errors, such as policy open error.
52
53

CONFIGURATION FILE

55       The  configuration  file is in the .ini format. Each section is consid‐
56       ered a check, with the configuration section name being the name of the
57       check.  All checks have the following options:
58
59
60       check_type = <name>
61              This selects the type of test be be used in this check.  This is
62              required.
63
64       desc = <text>
65              This is an optional  text  field.   If  set,  the  contents  are
66              printed  in the output and is typically used to explain the pur‐
67              pose of the check.
68
69       disable = <text>
70              This is an optional text field.  If it is set,  the  check  will
71              not  run  and the contents of this text will be added to the re‐
72              port to explain why the check was not ran.
73
74

TYPE ENFORCEMENT ALLOW RULE ASSERTION

76       This checks for the nonexistence of type enforcement allow  rules.  The
77       check_type  is assert_te.  It will run the query and any unexpected re‐
78       sults from the query, removing any exempted sources or targets, will be
79       listed  as  failures.  Any expected results that are not seen will also
80       be listed as failures.  If a rule has an empty attribute, rendering  it
81       useless,  it  will  be ignored.  If a rule has an attribute, it will be
82       considered a failure unless all of the member types are exempted.
83
84
85       Criteria options:
86
87       source = <type or type attribute>
88              The source type/attribute criteria for the query.
89
90       target = <type or type attribute>
91              The target type/attribute criteria for the query.
92
93       tclass = <type or type attribute>[ ....]
94              A space-separated list of object class criteria for the query.
95
96       perms = <type or type attribute>[ ....]
97              A space-separated list of permissions for the query.
98
99
100       A least one of the above options must be set in this check.
101
102
103       Additional Options:
104
105
106       expect_source = <type or type attribute>[ ....]
107              A space-separated list of types and type  attributes.   Each  of
108              these  types  must  be seen as the source of a rule that matches
109              the criteria.  At the end of the query, each unseen type in this
110              list will be reported as a failure. This is optional.
111
112       expect_target = <type or type attribute>[ ....]
113              A  space-separated  list  of types and type attributes.  Each of
114              these types must be seen as the target of a  rule  that  matches
115              the criteria.  At the end of the query, each unseen type in this
116              list will be reported as a failure. This is optional.
117
118       exempt_source = <type or type attribute>[ ....]
119              A space-separated list of types and type attributes.  Rules with
120              these as the source will be ignored. This is optional.
121
122       exempt_target = <type or type attribute>[ ....]
123              A space-separated list of types and type attributes.  Rules with
124              these as the target will be ignored. This is optional.
125
126
127       Note: If a rule has an attribute source, all of the member  types  must
128       be in the expect_source list or exempt_source list to pass.  Similarly,
129       if a rule has an attribute target, all of the member types must  be  in
130       the expect_target list or exempt_target list to pass.
131
132

ROLE BASED ACCESS CONTROL ALLOW RULE ASSERTION

134       This  checks  for  the nonexistence of role based access control (RBAC)
135       allow rules. The check_type is assert_rbac.  It will run the query  and
136       any unexpected results from the query, removing any exempted sources or
137       targets, will be listed as failures.  Any expected results that are not
138       seen will also be listed as failures.
139
140
141       Criteria options:
142
143       source = <role
144              The source role criteria for the query.
145
146       target = <role>
147              The target role criteria for the query.
148
149
150       A least one of the above options must be set in this check.
151
152
153       Additional Options:
154
155
156       expect_source = <role>[ ....]
157              A  space-separated  list  of roles.  Each of these roles must be
158              seen as the source of a rule that matches the criteria.  At  the
159              end of the query, each unseen role in this list will be reported
160              as a failure. This is optional.
161
162       expect_target = <role>[ ....]
163              A space-separated list of roles.  Each of these  roles  must  be
164              seen  as the target of a rule that matches the criteria.  At the
165              end of the query, each unseen role in this list will be reported
166              as a failure. This is optional.
167
168       exempt_source = <role>[ ....]
169              A space-separated list of roles.  Rules with these as the source
170              will be ignored. This is optional.
171
172       exempt_target = <role>[ ....]
173              A space-separated list of roles.  Rules with these as the target
174              will be ignored. This is optional.
175
176

EMPTY TYPE ATTRIBUTE ASSERTION

178       This checks that the specified attribute is empty.  This can optionally
179       be set to also pass if the attribute does not exist.  The check_type is
180       empty_typeattr.
181
182
183       Options:
184
185       attr = <type attribute>
186              The type attribute to check.  This is required.
187
188       missing_ok = <type attribute>
189              Consider  the  check  passing  if  the attribute does not exist.
190              This is optional.  Default is false.
191
192

READ-ONLY EXECUTABLES ASSERTION

194       This checks that all file types that are executable are read-only.  The
195       check_type is ro_execs.
196
197
198       Options:
199
200       exempt_file = <type or type attribute>[ ....]
201              A space-separated list of types and type attributes.  These will
202              not be considered executable.  This is optional.
203
204       exempt_exec_domain = <type or type attribute>[ ....]
205              A space-separated list of types and type attributes.  Rules with
206              these  as  the source will be ignored if they allow file execute
207              permission.  This is optional.
208
209       exempt_write_domain = <type or type attribute>[ ....]
210              A space-separated list of types and type attributes.  Rules with
211              these  as the source will be ignored if they allow file write or
212              append permissions on types determined executable.  This is  op‐
213              tional.
214
215

CONFIGURATION EXAMPLES

217       Example 1. A  check  called  "no_unconfined" that will determine if the
218       domain_unconfined_type attribute is empty or missing.
219
220           [no_unconfined]
221           check_type = empty_typeattr
222           desc = Verify that the domain_unconfined_type attribute is missing or empty.
223           attr = domain_unconfined_type
224           missing_ok = True
225
226
227       Example 2. A check called "ro_execs" that will determine  if  all  exe‐
228       cutable types are read-only.
229
230           [ro_execs]
231           check_type = empty_typeattr
232           desc = Verify that the all executables and libraries are read-only.
233
234
235       Example 3. A check called "execheap" that will determine that there are
236       no domains with  the  execheap  permission  except  for  unconfined_ex‐
237       echeap_t.
238
239           [execheap]
240           check_type = assert_te
241           desc = Verify no domains have executable heap.
242           tclass = process
243           perms = execheap
244           exempt_source = unconfined_execheap_t
245

AUTHOR

247       Chris PeBenito <chpebeni@linux.microsoft.com>
248
249

BUGS

251       Please     report     bugs     via    the    SETools    bug    tracker,
252       https://github.com/SELinuxProject/setools/issues
253
254

SEE ALSO

256       apol(1), sediff(1), sedta(1), seinfo(1), seinfoflow(1), sesearch(1)
257
258
259
260SELinux Project                   2020-06-09                      sechecker(1)
Impressum