NAME¶
sesearch - SELinux policy query tool
SYNOPSIS¶
sesearch [OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPRESSION] [POLICY ...]
DESCRIPTION¶
sesearch allows the user to search the rules in a SELinux policy.
POLICY¶
sesearch supports loading a SELinux policy in one of four formats.
- source
- A single text file containing policy source for versions 12
through 21. This file is usually named policy.conf.
- binary
- A single file containing a monolithic kernel binary policy
for versions 15 through 21. This file is usually named by version - for
example, policy.20.
- modular
- A list of policy packages each containing a loadable policy
module. The first module listed must be a base module.
- policy list
- A single text file containing all the information needed to
load a policy, usually exported by SETools graphical utilities.
If no policy file is provided,
sesearch will search for the system
default policy: checking first for a source policy, next for a binary policy
matching the running kernel's preferred version, and finally for the highest
version that can be found. In the latter case, the policy will be downgraded
to match the running system. If no policy can be found,
sesearch will
print an error message and exit.
RULE TYPE OPTIONS¶
sesearch is capable of searching multiple types of rules. At least one of
the following must be provided to specify the desired type(s) of rules to
search.
- -A, --allow
- Search for allow rules.
- --neverallow
- Search for neverallow rules.
- --auditallow
- Search for auditallow rules.
- --dontaudit
- Search for dontaudit rules.
- -T, --type
- Search for type_transition, type_member, and type_change
rules.
- --role_allow
- Search for role allow rules.
- --role_trans
- Search for role_transition rules.
- --range_trans
- Search for range_transition rules.
- --all
- Search all rule types.
EXPRESSIONS¶
The user may specify an expression containing values for a given field(s) in a
rule. Only those fields applicable to a given rule type will be used; all
other fields will be ignored. (For example, type_transition rules will ignore
the permissions field.) If no expression is specified or if none of the
specified fields apply to a given rule type, all rules of that type are
considered to match the expression.
- -s NAME, --source=NAME
- Find rules with type/attribute NAME as their source.
- -t NAME, --target=NAME
- Find rules with type/attribute NAME as their target.
- --role_source=NAME
- Find rules with role NAME as their source.
- --role_target=NAME
- Find rules with role NAME as their target.
- -c NAME, --class=NAME
- Find rules with class NAME as their object class.
- -p P1[,P2,...] --perm=P1[,P2...]
- Find rules with at least one of the specified permissions.
Multiple permissions may be specified as a comma separated list; it is
recommended that this list be quoted for shells that interpret comma as a
special character.
- -b NAME, --bool=NAME
- Find conditional rules with NAME in their conditional
expression. This option will include rules in both the true and false
lists of the conditional.
OPTIONS¶
The following additional options exist to modify how the search is performed and
the amount of information printed for each result.
- -d, --direct
- Normally rules are matched using the type given or any of
that type's attributes (or an attribute's types). This
"indirect" matching also considers types used in complemented
sets, the special set "*", and the special target
"self". When the direct flag is given, matching is done
literally. The rule must explicitly contain the given type (or attribute)
for it to be returned.
- -R, --regex
- Use regular expressions to match symbol names. By default
only exact string matches will be considered.
- -n, --linenum
- Print the line number for each rule. This option is ignored
if using the --semantic option or if line numbers are not available for
the given policy.
- -S, --semantic
- Search rules semantically instead of syntactically. This
option is implied for policies for which syntactic rules are not
available.
- -C, --show_cond
- Print the conditional expression and state for all
conditional rules found. This option has no effect on unconditional
rules.
- -h, --help
- Print help information and exit.
- -V, --version
- Print version information and exit.
AUTHOR¶
This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.
COPYRIGHT¶
Copyright(C) 2003-2008 Tresys Technology, LLC
BUGS¶
Please report bugs via an email to setools-bugs@tresys.com.
SEE ALSO¶
seinfo(1),
apol(1)