1sedta(1)            SETools: SELinux Policy Analysis Tools            sedta(1)
2
3
4

NAME

6       sedta - Domain transition analysis for SELinux policies
7
8

SYNOPSIS

10       sedta  [OPTIONS]  -s SOURCE [-t TARGET (-S|-A LIMIT)] [EXCLUDE [EXCLUDE
11       ...]]
12
13

DESCRIPTION

15       sedta is a command line tool that allows the  user  to  perform  domain
16       transition analyses on an SELinux policy.
17
18

POLICY

20       A single file containing a binary policy. This file is usually named by
21       version on Linux systems, for example, policy.30. This file is  usually
22       named  sepolicy  on  Android  systems.   If no policy file is provided,
23       sedta will search for the policy running on the current system.  If  no
24       policy can be found, sedta will print an error message and exit.
25
26

OPTIONS

28   Analysis Settings
29       -p POLICY
30              Specify  the policy to analyze. If none is specified, sedta will
31              search for the policy running on the current system.
32
33       -s SOURCE
34              Specify the source type to use in the domain  transition  analy‐
35              sis.
36
37       -t TARGET
38              Specify  the  target type to use in the domain transition analy‐
39              sis. Using this option will also require specifying an  analysis
40              algorithm.
41
42
43   Analysis Algorithms
44       sedta  uses  graph algorithms to analyze the domain transition paths of
45       an SELinux policy.  The following algorithms are options for  determin‐
46       ing paths from a source type to a target type.
47
48       -S     Print  the  shortest  domain  transition path(s) from the source
49              type to the target  type.   If  multiple  paths  have  the  same
50              length, all will be displayed.
51
52       -A LIMIT
53              Print all domain transition path(s) up to LIMIT steps long.  De‐
54              pending on the connectiveness of the policy,  this  may  be  ex‐
55              tremely expensive.
56
57
58   Analysis Options
59       -r     Perform  a reverse domain transition analysis.  The domain tran‐
60              sitions will be analyzed to find the the parent domains, instead
61              of finding the child domains.
62
63       -l LIMIT_TRANS
64              Specify  the maximum number of domain transitions to output. The
65              default is unlimited.
66
67       EXCLUDE
68              A space-separated list of types to exclude from the analysis.
69
70
71   General Options
72       --full Print rule lists for transitions.
73
74       --stats
75              Print domain transition graph  statistics  at  the  end  of  the
76              analysis.
77
78       -h, --help
79              Print help information and exit.
80
81       --version
82              Print version information and exit.
83
84       -v, --verbose
85              Print additional informational messages.
86
87       --debug
88              Enable debugging output.
89
90

EXAMPLE

92       Show the shortest transition paths from httpd_t to unconfined_t, while not using container_runtime_t
93       # sedta -s httpd_t -t unconfined_t -S container_runtime_t
94       List all domain transition paths shorter than 3 steps from init_t to smbd_t
95       # sedta -s init_t -t smbd_t -A 3
96
97

AUTHOR

99       Chris PeBenito <pebenito@ieee.org>
100
101

BUGS

103       Please     report     bugs     via    the    SETools    bug    tracker,
104       https://github.com/SELinuxProject/setools/issues
105
106

SEE ALSO

108       apol(1), sediff(1), seinfo(1), seinfoflow(1), sesearch(1)
109
110
111
112SELinux Project                   2016-02-20                          sedta(1)
Impressum