diff options
Diffstat (limited to 'man/seinfo.1')
| -rw-r--r-- | man/seinfo.1 | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/man/seinfo.1 b/man/seinfo.1 new file mode 100644 index 0000000..8612119 --- /dev/null +++ b/man/seinfo.1 @@ -0,0 +1,109 @@ +.TH seinfo 1 +.SH NAME +seinfo \- SELinux policy query tool +.SH SYNOPSIS +.B seinfo +[OPTIONS] [EXPRESSION] [POLICY ...] +.SH DESCRIPTION +.PP +.B seinfo +allows the user to query the components of a SELinux policy. +.SH POLICY +.PP +.B +seinfo +supports loading a SELinux policy in one of four formats. +.IP "source" +A single text file containing policy source for versions 12 through 21. This file is usually named policy.conf. +.IP "binary" +A single file containing a monolithic kernel binary policy for versions 15 through 21. This file is usually named by version - for example, policy.20. +.IP "modular" +A list of policy packages each containing a loadable policy module. The first module listed must be a base module. +.IP "policy list" +A single text file containing all the information needed to load a policy, usually exported by SETools graphical utilities. +.PP +If no policy file is provided, +.B +seinfo +will search for the system default policy: checking first for a source policy, next for a binary policy matching the running kernel's preferred version, and finally for the highest version that can be found. +In the latter case, the policy will be downgraded to match the running system. +If no policy can be found, +.B +seinfo +will print an error message and exit. +.SH EXPRESSIONS +.P +One or more of the following component types can be queried. Each option may only be specified once. +If an option is provided multiple times, the last instance will be used. Some components support the -x flag to print expanded information +about that component; if a particular component specified does not support expanded information, +the flag will be ignored for that component (see -x below). If no expressions are provided, policy statistics will be printed (see --stats below). +.IP "-c[NAME], --class[=NAME]" +Print a list of object classes or, if NAME is provided, print the object class NAME. +With -x, print a list of permissions for each displayed object class. +.IP "--sensitivity[=NAME]" +Print a list of sensitivities or, if NAME is provided, print the sensitivity NAME. +With -x, print the corresponding level statement for each displayed sensitivity. +.IP "--category[=NAME]" +Print a list of categories or, if NAME is provided, print the category NAME. +With -x, print a list of sensitivities with which each displayed category may be associated. +.IP "-t[NAME], --type[=NAME]" +Print a list of types (not including aliases or attributes) or, if NAME is provided, print the type NAME. +With -x, print a list of attributes which include each displayed type. +.IP "-a[NAME], --attribute[=NAME]" +Print a list of type attributes or, if NAME is provided, print the attribute NAME. +With -x, print a list of types assigned to each displayed attribute. +.IP "-r[NAME], --role[=NAME]" +Print a list of roles or, if NAME is provided, print the role NAME. +With -x, print a list of types assigned to each displayed role. +.IP "-u[NAME], --user[=NAME]" +Print a list of users or, if NAME is provided, print the user NAME. +With -x, print a list of roles assigned to each displayed user. +.IP "-b[NAME], --bool[=NAME]" +Print a list of conditional booleans or, if NAME is provided, print the boolean NAME. +With -x, print the default state of each displayed conditional boolean. +.IP "--initialsid[=NAME]" +Print a list of initial SIDs or, if NAME is provided, print the initial SID NAME. +With -x, print the context assigned to each displayed SID. +.IP "--fs_use[=TYPE]" +Print a list of fs_use statements or, if TYPE is provided, print the statement for filesystem TYPE. +There is no expanded information for this component. +.IP "--genfscon[=TYPE]" +Print a list of genfscon statements or, if TYPE is provided, print the statement for the filesystem TYPE. +There is no expanded information for this component. +.IP "--netifcon[=NAME]" +Print a list of netif contexts or, if NAME is provided, print the statement for interface NAME. +There is no expanded information for this component. +.IP "--nodecon[=ADDR]" +Print a list of node contexts or, if ADDR is provided, print the statement for the node with address ADDR. +There is no expanded information for this component. +.IP "--portcon[=PORT]" +Print a list of port contexts or, if PORT is provided, print the statement for port PORT. +There is no expanded information for this component. +.IP "--protocol=PROTO" +Print only portcon statements for the protocol PROTO. This option is ignored if portcon statements are not printed or if no statement exists for the requested port. +.IP "--constrain" +Print a list of constraints. +There is no expanded information for this component. +.IP "--all" +Print all components. +.SH OPTIONS +.IP "-x, --expand" +Print additional details for each component matching the expression. +These details include the types assigned to an attribute or role and the permissions for an object class. +This option is not available for all component types; see the description of each component for the details this option will provide. +.IP "--stats" +Print policy statistics including policy type and version information and counts of all components and rules. +.IP "-l" +Print line breaks when displaying constraint statements. +.IP "-h, --help" +Print help information and exit. +.IP "-V, --version" +Print version information and exit. +.SH AUTHOR +This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>. +.SH COPYRIGHT +Copyright(C) 2003-2010 Tresys Technology, LLC +.SH BUGS +Please report bugs via an email to setools-bugs@tresys.com. +.SH SEE ALSO +sesearch(1), apol(1) |