sevisual_query - Man Page

SELinux policy visual query


sevisual_query [-h] [-s SOURCE | -t TARGET]
                    [-sg SOURCE_GROUP | -tg TARGET_GROUP] [-c TCLASS]
                    [-p PERMS] [-a ATTR] [-b BOOL] [-ea] [-dg]
                    [-fb [FILTER_BOOLS]] [-fa ATTR] [-sm SIZE_MULTIPLIER]


Creates visual representation (pdf containing vector graphics) of part of given SELinux policy (concerning selected type). Rules assigned via attributes are distinguished by color codes. Dashed lines represent conditional rules.


Positional arguments


Path to the SELinux policy to be used.

Optional arguments

-h, ā€‰--help

show this help message and exit


Graph canvas size multiplier (>1 increases space between nodes)

Rule search (similar to sesearch)

-s SOURCE, --source SOURCE

Source type of the TE rule.

-t TARGET, --target TARGET

Target type of the TE rule.

-sg SOURCE_GROUP, --source_group SOURCE_GROUP

Source type (consider whole domain group containing the type) of the TE rule.

-tg TARGET_GROUP, --target_group TARGET_GROUP

Target type (consider whole domain group containing the type) of the TE rule.

-c TCLASS, --class TCLASS

Comma separated list of object classes

-p PERMS, --perms PERMS

Comma separated list of permissions.

-a ATTR, --attr ATTR

Comma separated list of attributes.

-b BOOL, --bool BOOL

Comma separated list of Booleans in the conditional expression.


Expand rules ending in attribute (to all types that have given attribute).



Group SELinux domains based on package they belong to.

-fb [FILTER_BOOLS], --filter_bools [FILTER_BOOLS]

Filter rules based on current boolean setting or comma separated list of [boolean]:[on/off]

-fa ATTR, --filter_attrs ATTR

Filter out rules allowed for specified attributes. ATTR is comma separated list of attributes.


Show policy concerning bluetooth_t type (only access to files, other types are grouped into packages):

      $ sevisual_query -s bluetooth_t -c file -dg
      $ okular graph.pdf

See Also

seextract_cil(1), seexport_graph(1)


Have a look at seexport_graph which can work with whole policy package and the resulting visualization is interactive.


Vit Mojzis <>

Referenced By


2017-02-09 SELinux Policy Analysis Tool