seinfoflow - Information flow analysis for SELinux policies
seinfoflow [OPTIONS] -m MAP -s SOURCE [-t TARGET (-S|-A
LIMIT)] [EXCLUDE [EXCLUDE ...]]
seinfoflow is a command line tool that allows the user to
perform information flow analyses on an SELinux policy.
seinfoflow supports loading SELinux policies in one of two
formats.
- source:
- A single text file containing a monolithic policy source. This file is
usually named policy.conf.
- binary:
- A single file containing a binary policy. This file is usually named by
version on Linux systems, for example, policy.30. This file is
usually named sepolicy on Android systems.
If no policy file is provided, seinfoflow will search for
the policy running on the current system. If no policy can be found,
seinfoflow will print an error message and exit.
- -p POLICY
- Specify the policy to analyze. If none is specified, seinfoflow
will search for the policy running on the current system.
- -m MAP
- Specify the path to the permission map file to use in the information flow
analysis.
- -s SOURCE
- Specify the source type to use in the information flow analysis.
- -t TARGET
- Specify the target type to use in the information flow analysis. Using
this option will also require specifying an analysis algorithm.
seinfoflow uses graph algorithms to analyze the information
flow paths of an SELinux policy. The following algorithms are options for
determining paths from a source type to a target type.
- -S
- Print the shortest information flow path(s) from the source type to the
target type. If multiple paths have the same length, all will be
displayed.
- -A LIMIT
- Print all information flow path(s) up to LIMIT steps long. Depending on
the connectiveness of the policy, a limit of 5 or more may be extremely
expensive.
- -w MIN_WEIGHT
- Specify the minimum permission weight to consider for the analysis (1-10).
The default is 3.
- -l LIMIT_FLOWS
- Specify the maximum number of information flows to output. The default is
unlimited.
- EXCLUDE
- A space-separated list of types to exclude from the analysis.
- --stats
- Print information flow graph statistics at the end of the analysis.
- -h, --help
- Print help information and exit.
- --version
- Print version information and exit.
- -v, --verbose
- Print additional informational messages.
- --debug
- Enable debugging output.
Chris PeBenito <cpebenito@tresys.com>
Please report bugs via the SETools bug tracker,
https://github.com/TresysTechnology/setools/issues