segraph_query man page

segraph_query ā€” SELinux policy analysis tool

Synopsis

segraph_query [-h] [-d POLICY_GRAPH2] POLICY_GRAPH QUERY_FUNCTIONS

Description

Analyses policy graph using given query functions.

Available query functions

write_executable

Finds all types corresponding to executables, that can be written to. Lists dictionary with execuatable types as keys and types with write permission as values.

transition_write

Finds domain transitions via entrypoints that can be rewritten by source domain. This effectively increases reach of source domain by access rights of target domain. Lists triplets of (source domain, target domain, entrypoint)

write_to_security

Find domains that are allowed write access to "security related" types. Lists domains with the specified write access and lists of affected types (security types that can be written to)

Options

Positional arguments

POLICY_GRAPH

Policy graph file

QUERY_FUNCTIONS

Comma separated list of query functions to be executed

Optional arguments

-h, --help

Show help message and exit

-d POLICY_GRAPH2, --diff POLICY_GRAPH2

Another policy graph file for comparison

Example

Check a policy graph (created using sebuild_graph) with write_executable function:

      $ graph_query.py graph write_executable

Show consequences of change in policy (graph2 was created after the change):

      $ segraph_query graph2 write_executable,transition_write,write_to_security -d graph

See Also

sebuild_graph(1)

Author

Vit Mojzis <vmojzis@redhat.com>

Referenced By

sebuild_graph(1), seextract_cil(1).

2017-02-09 SELinux Policy Analysis Tool