sevisual_query - Man Page

SELinux policy visual query

Synopsis

sevisual_query [-h] [-s SOURCE | -t TARGET]
                    [-sg SOURCE_GROUP | -tg TARGET_GROUP] [-c TCLASS]
                    [-p PERMS] [-a ATTR] [-b BOOL] [-ea] [-dg]
                    [-fb [FILTER_BOOLS]] [-fa ATTR] [-sm SIZE_MULTIPLIER]
                    [policy]

Description

Creates visual representation (pdf containing vector graphics) of part of given SELinux policy (concerning selected type). Rules assigned via attributes are distinguished by color codes. Dashed lines represent conditional rules.

Options

Positional arguments

policy

Path to the SELinux policy to be used.

Optional arguments

-h, ā€‰--help

show this help message and exit

-sm SIZE_MULTIPLIER, --size_multiplier SIZE_MULTIPLIER

Graph canvas size multiplier (>1 increases space between nodes)

Rule search (similar to sesearch)

-s SOURCE, --source SOURCE

Source type of the TE rule.

-t TARGET, --target TARGET

Target type of the TE rule.

-sg SOURCE_GROUP, --source_group SOURCE_GROUP

Source type (consider whole domain group containing the type) of the TE rule.

-tg TARGET_GROUP, --target_group TARGET_GROUP

Target type (consider whole domain group containing the type) of the TE rule.

-c TCLASS, --class TCLASS

Comma separated list of object classes

-p PERMS, --perms PERMS

Comma separated list of permissions.

-a ATTR, --attr ATTR

Comma separated list of attributes.

-b BOOL, --bool BOOL

Comma separated list of Booleans in the conditional expression.

-ea

Expand rules ending in attribute (to all types that have given attribute).

Filtering

-dg

Group SELinux domains based on package they belong to.

-fb [FILTER_BOOLS], --filter_bools [FILTER_BOOLS]

Filter rules based on current boolean setting or comma separated list of [boolean]:[on/off]

-fa ATTR, --filter_attrs ATTR

Filter out rules allowed for specified attributes. ATTR is comma separated list of attributes.

Example

Show policy concerning bluetooth_t type (only access to files, other types are grouped into packages):

      $ sevisual_query -s bluetooth_t -c file -dg
      $ okular graph.pdf

See Also

seextract_cil(1), seexport_graph(1)

Hints

Have a look at seexport_graph which can work with whole policy package and the resulting visualization is interactive.

Author

Vit Mojzis <vmojzis@redhat.com>

Referenced By

seextract_cil(1).

2017-02-09 SELinux Policy Analysis Tool