sesearch - SELinux policy query tool
sesearch [OPTIONS] [OPTIONS] [EXPRESSION] [POLICY]
sesearch allows the user to search the rules in a SELinux
policy.
sesearch supports loading SELinux policies in one of two
formats.
- source:
- A single text file containing a monolithic policy source. This file is
usually named policy.conf.
- binary:
- A single file containing a binary policy. This file is usually named by
version on Linux systems, for example, policy.30. This file is
usually named sepolicy on Android systems.
If no policy file is provided, sesearch will search for the
policy running on the current system. If no policy can be found,
sesearch will print an error message and exit.
The user may specify an expression containing values for a given
field(s) in a rule. If no expression is specified or if none of the
specified fields apply to a given rule type, all rules of that type are
considered to match the expression.
- -s NAME, --source NAME
- Find rules with NAME as their source type/role.
- -t NAME, --target NAME
- Find rules with NAME as their target type/role.
- -D NAME, --default NAME
- Find rules with NAME as their default type/role/level.
- -c NAME, --class NAME
- Find rules with NAME as their object class.
- -p P1[,P2,...] --perm
P1[,P2...]
- Find rules with at least one of the specified permissions. Multiple
permissions may be specified as a comma-separated list.
- -b BOOL[,B2,...], --bool
BOOL[,B2,...]
- Find conditional rules with the named Boolean in their conditional
expression. Multiple Booleans may be specified as a comma-separated list.
This option will include rules in both the true and false lists of the
conditional.
The following additional options modify how the search is
performed.
- -ds
- A matching rule must have the specified source attribute/type/role
explicitly, instead of matching by attribute contents.
- -dt
- A matching rule must have the specified target attribute/type/role
explicitly, instead of matching by attribute contents.
- -eb
- A matching rule must have all specified Booleans, instead of matching any
of the specified Boolean.
- -ep
- A matching rule must have all specified permissions, instead of matching
any of the specified permission.
- -rs
- Use regular expression for matching the source type/role.
- -rt
- Use regular expression for matching the target type/role.
- -rc
- Use regular expression for matching the object class.
- -rd
- Use regular expression for matching the default type/role.
- -rb
- Use regular expression for matching Booleans.
Chris PeBenito <cpebenito@tresys.com>
Please report bugs via the SETools bug tracker,
https://github.com/TresysTechnology/setools/issues