NAME

seinfoflow - Information flow analysis for SELinux policies
 

SYNOPSIS

seinfoflow [OPTIONS] -m MAP -s SOURCE [-t TARGET (-S|-A LIMIT)] [EXCLUDE [EXCLUDE ...]]
 

DESCRIPTION

seinfoflow is a command line tool that allows the user to perform information flow analyses on an SELinux policy.
 

POLICY

A single file containing a binary policy. This file is usually named by version on Linux systems, for example, policy.30. This file is usually named sepolicy on Android systems. If no policy file is provided, seinfoflow will search for the policy running on the current system. If no policy can be found, seinfoflow will print an error message and exit.
 

PERMISSION MAP

A file containing mappings of object permissions for object classes. These mappings are the basis on how to compute the infoflow between types. On Debian a standard permission map can be found when the package python3-sepolgen is installed at /var/lib/sepolgen/perm_map.
 

OPTIONS

Analysis Settings

-p POLICY
Specify the policy to analyze. If none is specified, seinfoflow will search for the policy running on the current system.
-m MAP
Specify the path to the permission map file to use in the information flow analysis.
-s SOURCE
Specify the source type to use in the information flow analysis.
-t TARGET
Specify the target type to use in the information flow analysis. Using this option will also require specifying an analysis algorithm.

Analysis Algorithms

seinfoflow uses graph algorithms to analyze the information flow paths of an SELinux policy. The following algorithms are options for determining paths from a source type to a target type.
-S
Print the shortest information flow path(s) from the source type to the target type. If multiple paths have the same length, all will be displayed.
-A LIMIT
Print all information flow path(s) up to LIMIT steps long. Depending on the connectiveness of the policy, a limit of 5 or more may be extremely expensive.

Analysis Options

-w MIN_WEIGHT
Specify the minimum permission weight to consider for the analysis (1-10). The default is 3.
-l LIMIT_FLOWS
Specify the maximum number of information flows to output. The default is unlimited.
EXCLUDE
A space-separated list of types to exclude from the analysis.

General Options

--stats
Print information flow graph statistics at the end of the analysis.
-h, --help
Print help information and exit.
--version
Print version information and exit.
-v, --verbose
Print additional informational messages.
--debug
Enable debugging output.

AUTHOR

Chris PeBenito <[email protected]>
 

BUGS

Please report bugs via the SETools bug tracker, https://github.com/SELinuxProject/setools/issues
 

SEE ALSO

apol(1), sediff(1), sedta(1), seinfo(1), sesearch(1)

Recommended readings

Pages related to seinfoflow you should read also:
apol(1) sediff(1) sedta(1) seinfo(1) sesearch(1)

Questions & Answers

Helpful answers and articles about seinfoflow you may found on these sites:
Stack Overflow Server Fault Super User Unix & Linux Ask Ubuntu Network Engineering DevOps Raspberry Pi Webmasters Google Search