logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

sechecker - Configuration-driven automated SELinux policy analysis

Contents

Author

       Chris PeBenito <chpebeni@linux.microsoft.com>

Bugs

       Please report bugs via the SETools bug tracker, https://github.com/SELinuxProject/setools/issues

Configuration Examples

Example1.Acheckcalled"no_unconfined"thatwilldetermineifthedomain_unconfined_typeattributeisemptyormissing.

           [no_unconfined]
           check_type = empty_typeattr
           desc = Verify that the domain_unconfined_type attribute is missing or empty.
           attr = domain_unconfined_type
           missing_ok = True

       Example2.Acheckcalled"ro_execs"thatwilldetermineifallexecutabletypesareread-only.

           [ro_execs]
           check_type = ro_execs
           desc = Verify that the all executables and libraries are read-only.

       Example3.Acheckcalled"execheap"thatwilldeterminethattherearenodomainswiththeexecheappermissionexceptforunconfined_execheap_t.

           [execheap]
           check_type = assert_te
           desc = Verify no domains have executable heap.
           tclass = process
           perms = execheap
           exempt_source = unconfined_execheap_t

Configuration File

       The configuration file is in the .ini format. Each section is considered a check, with the  configuration
       section name being the name of the check.  All checks have the following options:

       check_type = <name>
              This selects the type of test be be used in this check.  This is required.

       desc = <text>
              This  is  an optional text field.  If set, the contents are printed in the output and is typically
              used to explain the purpose of the check.

       disable = <text>
              This is an optional text field.  If it is set, the check will not run and  the  contents  of  this
              text will be added to the report to explain why the check was not ran.

Description

sechecker  is  an  automated  SELinux policy analysis tool. It uses a configuration file to define one or
       more analysis checks.

Empty Type Attribute Assertion

       This checks that the specified attribute is empty.  This can optionally  be  set  to  also  pass  if  the
       attribute does not exist.  The check_type is empty_typeattr.

       Options:

       attr = <type attribute>
              The type attribute to check.  This is required.

       missing_ok = <type attribute>
              Consider the check passing if the attribute does not exist.  This is optional.  Default is false.

Name

       sechecker - Configuration-driven automated SELinux policy analysis

Options

       -o <path>
              Output the results to the specified path instead of stdout.

       -h, --help
              Print help information and exit.

       --version
              Print version information and exit.

       -v, --verbose
              Print additional informational messages.

       --debug
              Enable debugging output.

Policy

       A single file containing a binary policy. This file is usually named by version  on  Linux  systems,  for
       example,  policy.30.  This file is usually named sepolicy on Android systems.  If not provided, sechecker
       will attempt to locate and open the current policy running on the system.

Read-Only Executables Assertion

       This checks that all file types that are executable are read-only.  The check_type is ro_execs.

       Options:

       exempt_file = <type or type attribute>[ ....]
              A  space-separated  list  of  types and type attributes.  These will not be considered executable.
              This is optional.

       exempt_exec_domain = <type or type attribute>[ ....]
              A space-separated list of types and type attributes.  Rules with  these  as  the  source  will  be
              ignored if they allow file execute permission.  This is optional.

       exempt_write_domain = <type or type attribute>[ ....]
              A  space-separated  list  of  types  and  type attributes.  Rules with these as the source will be
              ignored if they allow file write or append permissions on types determined  executable.   This  is
              optional.

Return Codes

sechecker has the following return codes:

       0      All checks passed.

       1      One or more checks failed.

       2      Error in the configuration file.

       3      Other errors, such as policy open error.

Role Based Access Control Allow Rule Assertion

       This  checks  for  the  nonexistence  of  role based access control (RBAC) allow rules. The check_type is
       assert_rbac.  It will run the query and any unexpected results from  the  query,  removing  any  exempted
       sources  or  targets,  will  be  listed as failures.  Any expected results that are not seen will also be
       listed as failures.

       Criteria options:

       source = <role
              The source role criteria for the query.

       target = <role>
              The target role criteria for the query.

       Atleastoneoftheaboveoptionsmustbesetinthischeck.

       Additional Options:

       expect_source = <role>[ ....]
              A space-separated list of roles.  Each of these roles must be seen as the source of  a  rule  that
              matches  the criteria.  At the end of the query, each unseen role in this list will be reported as
              a failure. This is optional.

       expect_target = <role>[ ....]
              A space-separated list of roles.  Each of these roles must be seen as the target of  a  rule  that
              matches  the criteria.  At the end of the query, each unseen role in this list will be reported as
              a failure. This is optional.

       exempt_source = <role>[ ....]
              A space-separated list of roles.  Rules with  these  as  the  source  will  be  ignored.  This  is
              optional.

       exempt_target = <role>[ ....]
              A  space-separated  list  of  roles.   Rules  with  these  as  the target will be ignored. This is
              optional.

See Also

apol(1), sediff(1), sedta(1), seinfo(1), seinfoflow(1), sesearch(1)

SELinux Project                                    2020-06-09                                       sechecker(1)

Synopsis

sechecker [OPTIONS] config.ini [POLICY]

Type Enforcement Allow Rule Assertion

       This  checks  for the nonexistence of type enforcement allow rules. The check_type is assert_te.  It will
       run the query and any unexpected results from the query, removing any exempted sources or  targets,  will
       be  listed  as  failures.   Any expected results that are not seen will also be listed as failures.  If a
       rule has an empty attribute, rendering it useless, it will be ignored.  If a rule has  an  attribute,  it
       will be considered a failure unless all of the member types are exempted.

       Criteria options:

       source = <type or type attribute>
              The source type/attribute criteria for the query.

       target = <type or type attribute>
              The target type/attribute criteria for the query.

       tclass = <type or type attribute>[ ....]
              A space-separated list of object class criteria for the query.

       perms = <type or type attribute>[ ....]
              A space-separated list of permissions for the query.

       Atleastoneoftheaboveoptionsmustbesetinthischeck.

       Additional Options:

       expect_source = <type or type attribute>[ ....]
              A  space-separated  list  of  types  and type attributes.  Each of these types must be seen as the
              source of a rule that matches the criteria.  At the end of the query, each  unseen  type  in  this
              list will be reported as a failure. This is optional.

       expect_target = <type or type attribute>[ ....]
              A  space-separated  list  of  types  and type attributes.  Each of these types must be seen as the
              target of a rule that matches the criteria.  At the end of the query, each  unseen  type  in  this
              list will be reported as a failure. This is optional.

       exempt_source = <type or type attribute>[ ....]
              A  space-separated  list  of  types  and  type attributes.  Rules with these as the source will be
              ignored. This is optional.

       exempt_target = <type or type attribute>[ ....]
              A space-separated list of types and type attributes.  Rules with  these  as  the  target  will  be
              ignored. This is optional.

       Note:  If  a  rule  has an attribute source, all of the member types must be in the expect_source list or
       exempt_source list to pass.  Similarly, if a rule has an attribute target, all of the member  types  must
       be in the expect_target list or exempt_target list to pass.

See Also

Type
Type PNG Icons
List
List PNG Icons
Man Pages
source Man Pages
Checks
Checks PNG Icons
Target
Target PNG Icons
Installerpedia
python/mypy Installerpedia
Man Pages
globus_xio_file_driver_types Man Pages
Man Pages
Attribute Man Pages
Space
Space PNG Icons
← View User commands Category← Back to Security and encryption🙏  Credits & Acknowledgments