logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

sesearch - SELinux policy query tool

Contents

Author

       Chris PeBenito <pebenito@ieee.org>

Bugs

       Please report bugs via the SETools bug tracker, https://github.com/SELinuxProject/setools/issues

Description

sesearch allows the user to search the rules in a SELinux policy.

Example

       List allow (and allowxperm) rules for accessing files labeled container_file_t from domains with attribute container_domain
       # sesearch -A -s container_domain -t container_file_t -c file
       List allow and dontaudit rules for accessing chr_files labeled container_file_t, that are controlled by boolean container_use_devices
       # sesearch -A --dontaudit -t container_file_t -c chr_file -b container_use_devices
       List dontaudit rules assigned via application_domain_type attribute (rules concerning specific types with that attribute are excluded)
       # sesearch --dontaudit -s application_domain_type -ds

Expressions

       The user may specify an expression containing values for a given field(s) in a rule.  If no expression is
       specified or if none of the specified fields apply to a given rule type,  all  rules  of  that  type  are
       considered to match the expression.

   TypeEnforcementRuleTypes
       -A     Find allow and allowxperm rules.

       --allow
              Find allow rules.

       --auditallow
              Find auditallow rules.

       --dontaudit
              Find dontaudit rules.

       --allowxperm
              Find allowxperm rules.

       --auditallowxperm
              Find auditallowxperm rules.

       --dontauditxperm
              Find dontauditxperm rules.

       -T, --type_transition
              Find type_transition rules.

       --type_member
              Find type_member rules.

       --type_change
              Find type_change rules.

   RBACRuleTypes
       --role_allow
              Find role allow rules.

       --role_transition
              Find role_transition rules.

       Note: TE/MLS rule searches cannot be mixed with RBAC rule searches

   MLSRuleTypes
       --range_transition
              Find range_transition rules.

   RuleFields
       -s NAME, --source NAME
              Find rules with NAME as their source type/role.

       -t NAME, --target NAME
              Find rules with NAME as their target type/role.

       -D NAME, --default NAME
              Find rules with NAME as their default type/role/level.

       -c NAME, --class NAME
              Find rules with NAME as their object class.

       -p P1[,P2,...] --perm P1[,P2...]
              Find  rules with at least one of the specified permissions.  Multiple permissions may be specified
              as a comma-separated list.

       -b BOOL[,B2,...], --bool BOOL[,B2,...]
              Find conditional rules with the named Boolean in their conditional expression.  Multiple  Booleans
              may  be  specified as a comma-separated list.  This option will include rules in both the true and
              false lists of the conditional.

   SearchOptions
       The following additional options modify how the search is performed.

       -ds    A matching rule must have the specified source attribute/type/role explicitly, instead of matching
              by attribute contents.

       -dt    A matching rule must have the specified target attribute/type/role explicitly, instead of matching
              by attribute contents.

       -eb    A matching rule must have all specified  Booleans,  instead  of  matching  any  of  the  specified
              Boolean.

       -ep    A  matching  rule  must  have  exactly  the  specified permissions, instead of matching any of the
              specified permission.

       -ex    A matching rule must have exactly the specified extended  permissions,  instead  of  matching  any
              listed extended permission.

       -Sp    A  matching  rule must have permissions where are a superset of the specified permissions, instead
              of matching any of the permissions.

       -rs    Use regular expression for matching the source type/role.

       -rt    Use regular expression for matching the target type/role.

       -rc    Use regular expression for matching the object class.

       -rd    Use regular expression for matching the default type/role.

       -rb    Use regular expression for matching Booleans.

Name

       sesearch - SELinux policy query tool

Options

       -h, --help
              Print help information and exit.

       --version
              Print version information and exit.

       -v, --verbose
              Print additional informational messages.

       --debug
              Enable debugging output.

Policy

       A  single  file  containing  a binary policy. This file is usually named by version on Linux systems, for
       example, policy.30. This file is usually named sepolicy  on  Android  systems.   If  no  policy  file  is
       provided,  sesearch  will search for the policy running on the current system. If no policy can be found,
       sesearch will print an error message and exit.

See Also

apol(1), sediff(1), sedta(1), seinfo(1), seinfoflow(1)

SELinux Project                                    2016-02-20                                        sesearch(1)

Synopsis

sesearch [OPTIONS] [OPTIONS] [EXPRESSION] [POLICY]

See Also

Man Pages
rules Man Pages
Type
Type PNG Icons
Man Pages
grid Man Pages
Headphones Icomoon
Headphones Icomoon SVG Icons
Man Pages
names Man Pages
Man Pages
Catalyst::ActionRole::RequireSSL::Role Man Pages
Filing
Filing PNG Icons
Man Pages
set.rules Man Pages
Man Pages
policy Man Pages
← View User commands Category← Back to Security and encryption🙏  Credits & Acknowledgments