1sechecker(1) SETools: SELinux Policy Analysis Tools sechecker(1)
2
3
4
6 sechecker - Configuration-driven automated SELinux policy analysis
7
8
10 sechecker [OPTIONS] config.ini [POLICY]
11
12
14 sechecker is an automated SELinux policy analysis tool. It uses a con‐
15 figuration file to define one or more analysis checks.
16
17
19 A single file containing a binary policy. This file is usually named by
20 version on Linux systems, for example, policy.30. This file is usually
21 named sepolicy on Android systems. If not provided, sechecker will at‐
22 tempt to locate and open the current policy running on the system.
23
24
26 -o <path>
27 Output the results to the specified path instead of stdout.
28
29 -h, --help
30 Print help information and exit.
31
32 --version
33 Print version information and exit.
34
35 -v, --verbose
36 Print additional informational messages.
37
38 --debug
39 Enable debugging output.
40
41
43 sechecker has the following return codes:
44
45 0 All checks passed.
46
47 1 One or more checks failed.
48
49 2 Error in the configuration file.
50
51 3 Other errors, such as policy open error.
52
53
55 The configuration file is in the .ini format. Each section is consid‐
56 ered a check, with the configuration section name being the name of the
57 check. All checks have the following options:
58
59
60 check_type = <name>
61 This selects the type of test be be used in this check. This is
62 required.
63
64 desc = <text>
65 This is an optional text field. If set, the contents are
66 printed in the output and is typically used to explain the pur‐
67 pose of the check.
68
69 disable = <text>
70 This is an optional text field. If it is set, the check will
71 not run and the contents of this text will be added to the re‐
72 port to explain why the check was not ran.
73
74
76 This checks for the nonexistence of type enforcement allow rules. The
77 check_type is assert_te. It will run the query and any unexpected re‐
78 sults from the query, removing any exempted sources or targets, will be
79 listed as failures. Any expected results that are not seen will also
80 be listed as failures. If a rule has an empty attribute, rendering it
81 useless, it will be ignored. If a rule has an attribute, it will be
82 considered a failure unless all of the member types are exempted.
83
84
85 Criteria options:
86
87 source = <type or type attribute>
88 The source type/attribute criteria for the query.
89
90 target = <type or type attribute>
91 The target type/attribute criteria for the query.
92
93 tclass = <type or type attribute>[ ....]
94 A space-separated list of object class criteria for the query.
95
96 perms = <type or type attribute>[ ....]
97 A space-separated list of permissions for the query.
98
99
100 At least one of the above options must be set in this check.
101
102
103 Additional Options:
104
105
106 expect_source = <type or type attribute>[ ....]
107 A space-separated list of types and type attributes. Each of
108 these types must be seen as the source of a rule that matches
109 the criteria. At the end of the query, each unseen type in this
110 list will be reported as a failure. This is optional.
111
112 expect_target = <type or type attribute>[ ....]
113 A space-separated list of types and type attributes. Each of
114 these types must be seen as the target of a rule that matches
115 the criteria. At the end of the query, each unseen type in this
116 list will be reported as a failure. This is optional.
117
118 exempt_source = <type or type attribute>[ ....]
119 A space-separated list of types and type attributes. Rules with
120 these as the source will be ignored. This is optional.
121
122 exempt_target = <type or type attribute>[ ....]
123 A space-separated list of types and type attributes. Rules with
124 these as the target will be ignored. This is optional.
125
126
127 Note: If a rule has an attribute source, all of the member types must
128 be in the expect_source list or exempt_source list to pass. Similarly,
129 if a rule has an attribute target, all of the member types must be in
130 the expect_target list or exempt_target list to pass.
131
132
134 This checks for the nonexistence of role based access control (RBAC)
135 allow rules. The check_type is assert_rbac. It will run the query and
136 any unexpected results from the query, removing any exempted sources or
137 targets, will be listed as failures. Any expected results that are not
138 seen will also be listed as failures.
139
140
141 Criteria options:
142
143 source = <role
144 The source role criteria for the query.
145
146 target = <role>
147 The target role criteria for the query.
148
149
150 At least one of the above options must be set in this check.
151
152
153 Additional Options:
154
155
156 expect_source = <role>[ ....]
157 A space-separated list of roles. Each of these roles must be
158 seen as the source of a rule that matches the criteria. At the
159 end of the query, each unseen role in this list will be reported
160 as a failure. This is optional.
161
162 expect_target = <role>[ ....]
163 A space-separated list of roles. Each of these roles must be
164 seen as the target of a rule that matches the criteria. At the
165 end of the query, each unseen role in this list will be reported
166 as a failure. This is optional.
167
168 exempt_source = <role>[ ....]
169 A space-separated list of roles. Rules with these as the source
170 will be ignored. This is optional.
171
172 exempt_target = <role>[ ....]
173 A space-separated list of roles. Rules with these as the target
174 will be ignored. This is optional.
175
176
178 This checks that the specified attribute is empty. This can optionally
179 be set to also pass if the attribute does not exist. The check_type is
180 empty_typeattr.
181
182
183 Options:
184
185 attr = <type attribute>
186 The type attribute to check. This is required.
187
188 missing_ok = <type attribute>
189 Consider the check passing if the attribute does not exist.
190 This is optional. Default is false.
191
192
194 This checks that all file types that are executable are read-only. The
195 check_type is ro_execs.
196
197
198 Options:
199
200 exempt_file = <type or type attribute>[ ....]
201 A space-separated list of types and type attributes. These will
202 not be considered executable. This is optional.
203
204 exempt_exec_domain = <type or type attribute>[ ....]
205 A space-separated list of types and type attributes. Rules with
206 these as the source will be ignored if they allow file execute
207 permission. This is optional.
208
209 exempt_write_domain = <type or type attribute>[ ....]
210 A space-separated list of types and type attributes. Rules with
211 these as the source will be ignored if they allow file write or
212 append permissions on types determined executable. This is op‐
213 tional.
214
215
217 Example 1. A check called "no_unconfined" that will determine if the
218 domain_unconfined_type attribute is empty or missing.
219
220 [no_unconfined]
221 check_type = empty_typeattr
222 desc = Verify that the domain_unconfined_type attribute is missing or empty.
223 attr = domain_unconfined_type
224 missing_ok = True
225
226
227 Example 2. A check called "ro_execs" that will determine if all exe‐
228 cutable types are read-only.
229
230 [ro_execs]
231 check_type = ro_execs
232 desc = Verify that the all executables and libraries are read-only.
233
234
235 Example 3. A check called "execheap" that will determine that there are
236 no domains with the execheap permission except for unconfined_ex‐
237 echeap_t.
238
239 [execheap]
240 check_type = assert_te
241 desc = Verify no domains have executable heap.
242 tclass = process
243 perms = execheap
244 exempt_source = unconfined_execheap_t
245
247 Chris PeBenito <chpebeni@linux.microsoft.com>
248
249
251 Please report bugs via the SETools bug tracker,
252 https://github.com/SELinuxProject/setools/issues
253
254
256 apol(1), sediff(1), sedta(1), seinfo(1), seinfoflow(1), sesearch(1)
257
258
259
260SELinux Project 2020-06-09 sechecker(1)