sesearch - Man Page

SELinux policy query tool

Synopsis

sesearch [Options] [Options] [EXPRESSION] [Policy]

Description

sesearch allows the user to search the rules in a SELinux policy.

Policy

A single file containing a binary policy. This file is usually named by version on Linux systems, for example, policy.30. This file is usually named sepolicy on Android systems. If no policy file is provided, sesearch will search for the policy running on the current system. If no policy can be found, sesearch will print an error message and exit.

Expressions

The user may specify an expression containing values for a given field(s) in a rule. If no expression is specified or if none of the specified fields apply to a given rule type, all rules of that type are considered to match the expression.

Type Enforcement Rule Types

-A

Find allow and allowxperm rules.

--allow

Find allow rules.

--auditallow

Find auditallow rules.

--dontaudit

Find dontaudit rules.

--allowxperm

Find allowxperm rules.

--auditallowxperm

Find auditallowxperm rules.

--dontauditxperm

Find dontauditxperm rules.

-T,  --type_transition

Find type_transition rules.

--type_member

Find type_member rules.

--type_change

Find type_change rules.

RBAC Rule Types

--role_allow

Find role allow rules.

--role_transition

Find role_transition rules.

Note: TE/MLS rule searches cannot be mixed with RBAC rule searches

MLS Rule Types

--range_transition

Find range_transition rules.

Rule Fields

-s NAME, --source NAME

Find rules with NAME as their source type/role.

-t NAME, --target NAME

Find rules with NAME as their target type/role.

-D NAME, --default NAME

Find rules with NAME as their default type/role/level.

-c NAME, --class NAME

Find rules with NAME as their object class.

-p P1[,P2,...] --perm P1[,P2...]

Find rules with at least one of the specified permissions. Multiple permissions may be specified as a comma-separated list.

-b BOOL[,B2,...], --bool BOOL[,B2,...]

Find conditional rules with the named Boolean in their conditional expression. Multiple Booleans may be specified as a comma-separated list. This option will include rules in both the true and false lists of the conditional.

Search Options

The following additional options modify how the search is performed.

-ds

A matching rule must have the specified source attribute/type/role explicitly, instead of matching by attribute contents.

-dt

A matching rule must have the specified target attribute/type/role explicitly, instead of matching by attribute contents.

-eb

A matching rule must have all specified Booleans, instead of matching any of the specified Boolean.

-ep

A matching rule must have exactly the specified permissions, instead of matching any of the specified permission.

-ex

A matching rule must have exactly the specified extended permissions, instead of matching any listed extended permission.

-Sp

A matching rule must have permissions where are a superset of the specified permissions, instead of matching any of the permissions.

-rs

Use regular expression for matching the source type/role.

-rt

Use regular expression for matching the target type/role.

-rc

Use regular expression for matching the object class.

-rd

Use regular expression for matching the default type/role.

-rb

Use regular expression for matching Booleans.

Options

-h,  --help

Print help information and exit.

--version

Print version information and exit.

-v,  --verbose

Print additional informational messages.

--debug

Enable debugging output.

Example

List allow (and allowxperm) rules for accessing files labeled container_file_t from domains with attribute container_domain
# sesearch -A -s container_domain -t container_file_t -c file
List allow and dontaudit rules for accessing chr_files labeled container_file_t, that are controlled by boolean container_use_devices
# sesearch -A --dontaudit -t container_file_t -c chr_file -b container_use_devices
List dontaudit rules assigned via application_domain_type attribute (rules concerning specific types with that attribute are excluded)
# sesearch --dontaudit -s application_domain_type -ds

Author

Chris PeBenito <pebenito@ieee.org>

Bugs

Please report bugs via the SETools bug tracker, https://github.com/SELinuxProject/setools/issues

See Also

apol(1), sediff(1), sedta(1), seinfo(1), seinfoflow(1)

Referenced By

apol(1), sechecker(1), sediff(1), sedta(1), seinfo(1), seinfoflow(1).

2016-02-20 SELinux Project SETools: SELinux Policy Analysis Tools