sedta - Man Page

Domain transition analysis for SELinux policies

Synopsis

sedta [Options] -s SOURCE [-t TARGET (-S|-A LIMIT)] [EXCLUDE [EXCLUDE ...]]

Description

sedta is a command line tool that allows the user to perform domain transition analyses on an SELinux policy.

Policy

A single file containing a binary policy. This file is usually named by version on Linux systems, for example, policy.30. This file is usually named sepolicy on Android systems. If no policy file is provided, sedta will search for the policy running on the current system. If no policy can be found, sedta will print an error message and exit.

Options

Analysis Settings

-p POLICY

Specify the policy to analyze. If none is specified, sedta will search for the policy running on the current system.

-s SOURCE

Specify the source type to use in the domain transition analysis.

-t TARGET

Specify the target type to use in the domain transition analysis. Using this option will also require specifying an analysis algorithm.

Analysis Algorithms

sedta uses graph algorithms to analyze the domain transition paths of an SELinux policy. The following algorithms are options for determining paths from a source type to a target type.

-S

Print the shortest domain transition path(s) from the source type to the target type.  If multiple paths have the same length, all will be displayed.

-A LIMIT

Print all domain transition path(s) up to LIMIT steps long.  Depending on the connectiveness of the policy, this may be extremely expensive.

Analysis Options

-r

Perform a reverse domain transition analysis.  The domain transitions will be analyzed to find the the parent domains, instead of finding the child domains.

-l LIMIT_TRANS

Specify the maximum number of domain transitions to output. The default is unlimited.

EXCLUDE

A space-separated list of types to exclude from the analysis.

General Options

--full

Print rule lists for transitions.

--stats

Print domain transition graph statistics at the end of the analysis.

-h,  --help

Print help information and exit.

--version

Print version information and exit.

-v,  --verbose

Print additional informational messages.

--debug

Enable debugging output.

Example

Show the shortest transition paths from httpd_t to unconfined_t, while not using container_runtime_t
# sedta -s httpd_t -t unconfined_t -S container_runtime_t
List all domain transition paths shorter than 3 steps from init_t to smbd_t
# sedta -s init_t -t smbd_t -A 3

Author

Chris PeBenito <pebenito@ieee.org>

Bugs

Please report bugs via the SETools bug tracker, https://github.com/SELinuxProject/setools/issues

See Also

apol(1), sediff(1), seinfo(1), seinfoflow(1), sesearch(1)

Referenced By

apol(1), sechecker(1), sediff(1), seinfo(1), seinfoflow(1), sesearch(1).

2016-02-20 SELinux Project SETools: SELinux Policy Analysis Tools