NAME¶
seinfo - SELinux policy query tool
SYNOPSIS¶
seinfo [OPTIONS] [EXPRESSION] [POLICY ...]
DESCRIPTION¶
seinfo allows the user to query the components of a SELinux policy.
POLICY¶
seinfo supports loading a SELinux policy in one of four formats.
- source
- A single text file containing policy source for versions 12 through 21.
This file is usually named policy.conf.
- binary
- A single file containing a monolithic kernel binary policy for versions 15
through 21. This file is usually named by version - for example,
policy.20.
- modular
- A list of policy packages each containing a loadable policy module. The
first module listed must be a base module.
- policy list
- A single text file containing all the information needed to load a policy,
usually exported by SETools graphical utilities.
If no policy file is provided,
seinfo will search for the system default
policy: checking first for a source policy, next for a binary policy matching
the running kernel's preferred version, and finally for the highest version
that can be found. In the latter case, the policy will be downgraded to match
the running system. If no policy can be found,
seinfo will print an
error message and exit.
EXPRESSIONS¶
One or more of the following component types can be queried. Each option may
only be specified once. If an option is provided multiple times, the last
instance will be used. Some components support the -x flag to print expanded
information about that component; if a particular component specified does not
support expanded information, the flag will be ignored for that component (see
-x below). If no expressions are provided, policy statistics will be printed
(see --stats below).
- -c[NAME], --class[=NAME]
- Print a list of object classes or, if NAME is provided, print the object
class NAME. With -x, print a list of permissions for each displayed object
class.
- --sensitivity[=NAME]
- Print a list of sensitivities or, if NAME is provided, print the
sensitivity NAME. With -x, print the corresponding level statement for
each displayed sensitivity.
- --category[=NAME]
- Print a list of categories or, if NAME is provided, print the category
NAME. With -x, print a list of sensitivities with which each displayed
category may be associated.
- -t[NAME], --type[=NAME]
- Print a list of types (not including aliases or attributes) or, if NAME is
provided, print the type NAME. With -x, print a list of attributes which
include each displayed type.
- -a[NAME], --attribute[=NAME]
- Print a list of type attributes or, if NAME is provided, print the
attribute NAME. With -x, print a list of types assigned to each displayed
attribute.
- -r[NAME], --role[=NAME]
- Print a list of roles or, if NAME is provided, print the role NAME. With
-x, print a list of types assigned to each displayed role.
- -u[NAME], --user[=NAME]
- Print a list of users or, if NAME is provided, print the user NAME. With
-x, print a list of roles assigned to each displayed user.
- -b[NAME], --bool[=NAME]
- Print a list of conditional booleans or, if NAME is provided, print the
boolean NAME. With -x, print the default state of each displayed
conditional boolean.
- --initialsid[=NAME]
- Print a list of initial SIDs or, if NAME is provided, print the initial
SID NAME. With -x, print the context assigned to each displayed SID.
- --fs_use[=TYPE]
- Print a list of fs_use statements or, if TYPE is provided, print the
statement for filesystem TYPE. There is no expanded information for this
component.
- --genfscon[=TYPE]
- Print a list of genfscon statements or, if TYPE is provided, print the
statement for the filesystem TYPE. There is no expanded information for
this component.
- --netifcon[=NAME]
- Print a list of netif contexts or, if NAME is provided, print the
statement for interface NAME. There is no expanded information for this
component.
- --nodecon[=ADDR]
- Print a list of node contexts or, if ADDR is provided, print the statement
for the node with address ADDR. There is no expanded information for this
component.
- --polcap
- Print policy capabilities.
- --permissive
- Print permissive types.
- --portcon[=PORT]
- Print a list of port contexts or, if PORT is provided, print the statement
for port PORT. There is no expanded information for this component.
- --protocol=PROTO
- Print only portcon statements for the protocol PROTO. This option is
ignored if portcon statements are not printed or if no statement exists
for the requested port.
- --constrain
- Print a list of constraints. There is no expanded information for this
component.
- --all
- Print all components.
OPTIONS¶
- -x, --expand
- Print additional details for each component matching the expression. These
details include the types assigned to an attribute or role and the
permissions for an object class. This option is not available for all
component types; see the description of each component for the details
this option will provide.
- --stats
- Print policy statistics including policy type and version information and
counts of all components and rules.
- -l, --line-breaks
- Print line breaks when displaying constraint statements.
- -h, --help
- Print help information and exit.
- -V, --version
- Print version information and exit.
AUTHOR¶
This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.
COPYRIGHT¶
Copyright(C) 2003-2010 Tresys Technology, LLC
BUGS¶
Please report bugs via an email to setools-bugs@tresys.com.
SEE ALSO¶
sesearch(1),
apol(1)