sesearch - SELinux policy query tool
sesearch [OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPRESSION] [POLICY ...]
sesearch allows the user to search the rules in a SELinux policy.
sesearch supports loading a SELinux policy in one of four formats.
source A single text file containing policy source for versions 12 through 21. This file
is usually named policy.conf.
binary A single file containing a monolithic kernel binary policy for versions 15 through
21. This file is usually named by version - for example, policy.20.
A list of policy packages each containing a loadable policy module. The first mod-
ule listed must be a base module.
A single text file containing all the information needed to load a policy, usually
exported by SETools graphical utilities.
If no policy file is provided, sesearch will search for the system default policy: check-
ing first for a source policy, next for a binary policy matching the running kernel's pre-
ferred version, and finally for the highest version that can be found. In the latter
case, the policy will be downgraded to match the running system. If no policy can be
found, sesearch will print an error message and exit.
RULE TYPE OPTIONS
sesearch is capable of searching multiple types of rules. At least one of the following
must be provided to specify the desired type(s) of rules to search.
Search for allow rules.
Search for neverallow rules.
Search for auditallow rules.
Search for dontaudit rules.
Search for type_transition, type_member, and type_change rules.
Search for role allow rules.
Search for role_transition rules.
Search for range_transition rules.
--all Search all rule types.
The user may specify an expression containing values for a given field(s) in a rule. Only
those fields applicable to a given rule type will be used; all other fields will be
ignored. (For example, type_transition rules will ignore the permissions field.) If no
expression is specified or if none of the specified fields apply to a given rule type, all
rules of that type are considered to match the expression.
-s NAME, --source=NAME
Find rules with type/attribute NAME as their source.
-t NAME, --target=NAME
Find rules with type/attribute NAME as their target.
Find rules with role NAME as their source.
Find rules with role NAME as their target.
-c NAME, --class=NAME
Find rules with class NAME as their object class.
-p P1[,P2,...] --perm=P1[,P2...]
Find rules with at least one of the specified permissions. Multiple permissions
may be specified as a comma separated list; it is recommended that this list be
quoted for shells that interpret comma as a special character.
-b NAME, --bool=NAME
Find conditional rules with NAME in their conditional expression. This option will
include rules in both the true and false lists of the conditional.
The following additional options exist to modify how the search is performed and the
amount of information printed for each result.
Normally rules are matched using the type given or any of that type's attributes
(or an attribute's types). This "indirect" matching also considers types used in
complemented sets, the special set "*", and the special target "self". When the
direct flag is given, matching is done literally. The rule must explicitly contain
the given type (or attribute) for it to be returned.
Use regular expressions to match symbol names. By default only exact string
matches will be considered.
Print the line number for each rule. This option is ignored if using the --seman-
tic option or if line numbers are not available for the given policy.
Search rules semantically instead of syntactically. This option is implied for
policies for which syntactic rules are not available.
Print the conditional expression and state for all conditional rules found. This
option has no effect on unconditional rules.
Print help information and exit.
Print version information and exit.
This manual page was written by Jeremy A. Mowery <firstname.lastname@example.org>.
Copyright(C) 2003-2008 Tresys Technology, LLC
Please report bugs via an email to email@example.com.