sesearch - SELinux policy query tool
sesearch [OPTIONS] [OPTIONS] [EXPRESSION] [POLICY]
sesearch allows the user to search the rules in a SELinux policy.
A single file containing a binary policy. This file is usually named by version
on Linux systems, for example,
policy.30. This file is usually named
sepolicy on Android systems. If no policy file is provided,
sesearch will search for the policy running on the current system. If
no policy can be found,
sesearch will print an error message and exit.
The user may specify an expression containing values for a given field(s) in a
rule. If no expression is specified or if none of the specified fields apply
to a given rule type, all rules of that type are considered to match the
expression.
- -A
- Find allow and allowxperm rules.
- --allow
- Find allow rules.
- --auditallow
- Find auditallow rules.
- --dontaudit
- Find dontaudit rules.
- --neverallow
- Find neverallow rules.
- --allowxperm
- Find allowxperm rules.
- --auditallowxperm
- Find auditallowxperm rules.
- --dontauditxperm
- Find dontauditxperm rules.
- --neverallowxperm
- Find neverallowxperm rules.
- -T, --type_trans
- Find type_transition rules.
- --type_member
- Find type_member rules.
- --type_change
- Find type_change rules.
- --role_allow
- Find role allow rules.
- --role_trans
- Find role_transition rules.
- --range_trans
- Find range_transition rules.
- -s NAME, --source NAME
- Find rules with NAME as their source type/role.
- -t NAME, --target NAME
- Find rules with NAME as their target type/role.
- -D NAME, --default NAME
- Find rules with NAME as their default type/role/level.
- -c NAME, --class NAME
- Find rules with NAME as their object class.
- -p P1[,P2,...] --perm P1[,P2...]
- Find rules with at least one of the specified permissions.
Multiple permissions may be specified as a comma-separated list.
- -b BOOL[,B2,...], --bool BOOL[,B2,...]
- Find conditional rules with the named Boolean in their
conditional expression. Multiple Booleans may be specified as a
comma-separated list. This option will include rules in both the true and
false lists of the conditional.
The following additional options modify how the search is performed.
- -ds
- A matching rule must have the specified source
attribute/type/role explicitly, instead of matching by attribute
contents.
- -dt
- A matching rule must have the specified target
attribute/type/role explicitly, instead of matching by attribute
contents.
- -eb
- A matching rule must have all specified Booleans, instead
of matching any of the specified Boolean.
- -ep
- A matching rule must have exactly the specified
permissions, instead of matching any of the specified permission.
- -Sp
- A matching rule must have permissions where are a superset
of the specified permissions, instead of matching any of the
permissions.
- -rs
- Use regular expression for matching the source
type/role.
- -rt
- Use regular expression for matching the target
type/role.
- -rc
- Use regular expression for matching the object class.
- -rd
- Use regular expression for matching the default
type/role.
- -rb
- Use regular expression for matching Booleans.
- -h, --help
- Print help information and exit.
- --version
- Print version information and exit.
- -v, --verbose
- Print additional informational messages.
- --debug
- Enable debugging output.
Chris PeBenito <
[email protected]>
Please report bugs via the SETools bug tracker,
https://github.com/SELinuxProject/setools/issues
apol(1),
sediff(1),
sedta(1),
seinfo(1),
seinfoflow(1)