1sesearch(1)         SETools: SELinux Policy Analysis Tools         sesearch(1)
2
3
4

NAME

6       sesearch - SELinux policy query tool
7
8

SYNOPSIS

10       sesearch [OPTIONS] [OPTIONS] [EXPRESSION] [POLICY]
11
12

DESCRIPTION

14       sesearch allows the user to search the rules in a SELinux policy.
15
16

POLICY

18       A single file containing a binary policy. This file is usually named by
19       version on Linux systems, for example, policy.30. This file is  usually
20       named  sepolicy  on  Android  systems.   If no policy file is provided,
21       sesearch will search for the policy running on the current  system.  If
22       no policy can be found, sesearch will print an error message and exit.
23
24

EXPRESSIONS

26       The  user  may  specify  an  expression  containing  values for a given
27       field(s) in a rule.  If no expression is specified or if  none  of  the
28       specified fields apply to a given rule type, all rules of that type are
29       considered to match the expression.
30
31
32   Type Enforcement Rule Types
33       -A     Find allow and allowxperm rules.
34
35       --allow
36              Find allow rules.
37
38       --auditallow
39              Find auditallow rules.
40
41       --dontaudit
42              Find dontaudit rules.
43
44       --allowxperm
45              Find allowxperm rules.
46
47       --auditallowxperm
48              Find auditallowxperm rules.
49
50       --dontauditxperm
51              Find dontauditxperm rules.
52
53       -T, --type_trans
54              Find type_transition rules.
55
56       --type_member
57              Find type_member rules.
58
59       --type_change
60              Find type_change rules.
61
62
63   RBAC Rule Types
64       --role_allow
65              Find role allow rules.
66
67       --role_trans
68              Find role_transition rules.
69
70       Note: TE/MLS rule searches cannot be mixed with RBAC rule searches
71
72
73   MLS Rule Types
74       --range_trans
75              Find range_transition rules.
76
77
78   Rule Fields
79       -s NAME, --source NAME
80              Find rules with NAME as their source type/role.
81
82       -t NAME, --target NAME
83              Find rules with NAME as their target type/role.
84
85       -D NAME, --default NAME
86              Find rules with NAME as their default type/role/level.
87
88       -c NAME, --class NAME
89              Find rules with NAME as their object class.
90
91       -p P1[,P2,...] --perm P1[,P2...]
92              Find rules with at least one of the specified permissions.  Mul‐
93              tiple permissions may be specified as a comma-separated list.
94
95       -b BOOL[,B2,...], --bool BOOL[,B2,...]
96              Find  conditional  rules  with the named Boolean in their condi‐
97              tional expression.  Multiple Booleans  may  be  specified  as  a
98              comma-separated  list.   This  option will include rules in both
99              the true and false lists of the conditional.
100
101
102   Search Options
103       The following additional options modify how the search is performed.
104
105       -ds    A  matching  rule  must  have  the   specified   source   attri‐
106              bute/type/role explicitly, instead of matching by attribute con‐
107              tents.
108
109       -dt    A  matching  rule  must  have  the   specified   target   attri‐
110              bute/type/role explicitly, instead of matching by attribute con‐
111              tents.
112
113       -eb    A matching rule must have all  specified  Booleans,  instead  of
114              matching any of the specified Boolean.
115
116       -ep    A matching rule must have exactly the specified permissions, in‐
117              stead of matching any of the specified permission.
118
119       -ex    A matching rule must have exactly the specified extended permis‐
120              sions, instead of matching any listed extended permission.
121
122       -Sp    A  matching  rule  must have permissions where are a superset of
123              the specified permissions, instead of matching any of  the  per‐
124              missions.
125
126       -rs    Use regular expression for matching the source type/role.
127
128       -rt    Use regular expression for matching the target type/role.
129
130       -rc    Use regular expression for matching the object class.
131
132       -rd    Use regular expression for matching the default type/role.
133
134       -rb    Use regular expression for matching Booleans.
135
136

OPTIONS

138       -h, --help
139              Print help information and exit.
140
141       --version
142              Print version information and exit.
143
144       -v, --verbose
145              Print additional informational messages.
146
147       --debug
148              Enable debugging output.
149
150

EXAMPLE

152       List allow (and allowxperm) rules for accessing files labeled container_file_t from domains with attribute container_domain
153       # sesearch -A -s container_domain -t container_file_t -c file
154       List allow and dontaudit rules for accessing chr_files labeled container_file_t, that are controlled by boolean container_use_devices
155       # sesearch -A --dontaudit -t container_file_t -c chr_file -b container_use_devices
156       List dontaudit rules assigned via application_domain_type attribute (rules concerning specific types with that attribute are excluded)
157       # sesearch --dontaudit -s application_domain_type -ds
158
159

AUTHOR

161       Chris PeBenito <pebenito@ieee.org>
162
163

BUGS

165       Please     report     bugs     via    the    SETools    bug    tracker,
166       https://github.com/SELinuxProject/setools/issues
167
168

SEE ALSO

170       apol(1), sediff(1), sedta(1), seinfo(1), seinfoflow(1)
171
172
173
174SELinux Project                   2016-02-20                       sesearch(1)
Impressum