Unix/Linux Go Back    


CentOS 7.0 - man page for sechecker (centos section 1)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


sechecker(1)									     sechecker(1)

NAME
       sechecker - SELinux policy checking tool

SYNOPSIS
       sechecker [OPTIONS] -p profile [POLICY ...]
       sechecker [OPTIONS] -m module [POLICY ...]
       sechecker [OPTIONS] -p profile -m module [POLICY ...]

DESCRIPTION
       sechecker  allows the user to perform predefined modular checks on a SELinux policy.  Pro-
       files exist to group modules together and  allow  modification  of  module  settings  (see
       below).

POLICY
       sechecker supports loading a SELinux policy in one of four formats.

       source A  single  text file containing policy source for versions 12 through 21. This file
	      is usually named policy.conf.

       binary A single file containing a monolithic kernel binary policy for versions 15  through
	      21. This file is usually named by version - for example, policy.20.

       modular
	      A  list of policy packages each containing a loadable policy module. The first mod-
	      ule listed must be a base module.

       policy list
	      A single text file containing all the information needed to load a policy,  usually
	      exported by SETools graphical utilities.

       If no policy file is provided, sechecker will search for the system default policy: check-
       ing first for a source policy, next for a binary policy matching the running kernel's pre-
       ferred  version,  and  finally  for  the highest version that can be found.  In the latter
       case, the policy will be downgraded to match the running system.   If  no  policy  can  be
       found, sechecker will print an error message and exit.

OPTIONS
       -p PROFILE, --profile=PROFILE
	      Load module settings from a module profile.  The settings in the profile will over-
	      ride the default settings for all specified modules.  If specified without -m,  run
	      all modules in the profile.  PROFILE may either be the name of a known profile (see
	      --list) or the path to a user created profile.  see PROFILE OPTIONS below for  more
	      information about creating profiles.

       -m MODULE, --module=MODULE
	      Run only the module named MODULE (see --list).

       --min-sev=SEVERITY
	      Report  only results with the minimum severity of SEVERITY.  SEVERITY must have one
	      of the following values:

	      low    The module's results indicate a flaw in the policy that does not affect  the
		     manner in which the policy is enforced, but is considered to be improper.

	      med    The  module's  results indicate a flaw in the policy that changes the manner
		     in which the policy is enforced; however, it does not present  an	identifi-
		     able security risk.

	      high   The  module's results indicate a flaw in the policy that presents an identi-
		     fiable security risk.

       --fcfile=FILE
	      Use FILE for the file_contexts file instead of the system default.   This  flag  is
	      only applicable if sechecker was configured with the --enable-sefs flag.

       -l, --list
	      Print  a list of the name and a brief description of all known profiles and modules
	      and exit.

       -h[MODULE], --help[=MODULE]
	      Print general help information and exit.	If MODULE is provided, print help  infor-
	      mation for the module named MODULE and exit.

       -V, --version
	      Print version information and exit.

   REPORT GENERATION OPTIONS
       Only one of the following may be provided to specify the length of the report for all mod-
       ules.  If provided, this option overrides both profile and module default output settings.

       -q, --quiet
	      suppress output

       -s, --short
	      print short output

       -v, --verbose
	      print verbose output

PROFILE OPTIONS
       Profiles are used to group modules together, to specify the output format for each  module
       in  the report, and to provide the ability to override the modules' default options.  Each
       profile is a well-formed XML document, as specified by the DTD installed  with  sechecker.
       An example profile follows:

       <sechecker version="1.1">
	    <profile>
		 <module name="find_domains">
		      <output value="quiet"/>
		      <option name="domain_attribute">
			   <item value="domain"/>
			   <item value="user_domain"/>
			   ...
		      </option>
		 </module>
		 ...
	    </profile>
       </sechecker>

       The  example profile specifies the output property for the find_domains module.	The exam-
       ple profile also overrides the default value for  the  "domain_attribute"  option  in  the
       find_domains module.

   PROFILE OUTPUT OPTIONS
       The valid output values for each module are specified below:

       verbose
	      Print each result in the report with accompanying proof(s).

       short  Print a list of results with no accompanying proof.

       none   Do  not  print  output  from this module in the report; however, module errors will
	      still be printed.

       quiet  Do not print output from this module in the report and do not print errors. This is
	      useful for utility modules for which the calling module handles any errors.

   PROFILE MODULE OPTIONS
       Several	modules  provide one or more options that can be set from a profile.  Each option
       has one or more items.  To check what options are available for a module  use  --help=MOD-
       ULE, where MODULE is the name of the module as printed by --list.

AUTHOR
       This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.

COPYRIGHT
       Copyright(C) 2005-2008 Tresys Technology, LLC

BUGS
       Please report bugs via an email to setools-bugs@tresys.com.

SEE ALSO
       apol(1)

										     sechecker(1)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums


All times are GMT -4. The time now is 05:30 PM.