diff options
Diffstat (limited to 'man/sesearch.1')
-rw-r--r-- | man/sesearch.1 | 113 |
1 files changed, 113 insertions, 0 deletions
diff --git a/man/sesearch.1 b/man/sesearch.1 new file mode 100644 index 0000000..d002faf --- /dev/null +++ b/man/sesearch.1 @@ -0,0 +1,113 @@ +.TH sesearch 1 +.SH NAME +sesearch \- SELinux policy query tool +.SH SYNOPSIS +.B sesearch +[OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPRESSION] [POLICY ...] +.SH DESCRIPTION +.PP +.B sesearch +allows the user to search the rules in a SELinux policy. +.SH POLICY +.PP +.B +sesearch +supports loading a SELinux policy in one of four formats. +.IP "source" +A single text file containing policy source for versions 12 through 21. This file is usually named policy.conf. +.IP "binary" +A single file containing a monolithic kernel binary policy for versions 15 through 21. This file is usually named by version - for example, policy.20. +.IP "modular" +A list of policy packages each containing a loadable policy module. The first module listed must be a base module. +.IP "policy list" +A single text file containing all the information needed to load a policy, usually exported by SETools graphical utilities. +.PP +If no policy file is provided, +.B +sesearch +will search for the system default policy: checking first for a source policy, next for a binary policy matching the running kernel's preferred version, and finally for the highest version that can be found. +In the latter case, the policy will be downgraded to match the running system. +If no policy can be found, +.B +sesearch +will print an error message and exit. +.SH RULE TYPE OPTIONS +.P +.B +sesearch +is capable of searching multiple types of rules. At least one of the following +must be provided to specify the desired type(s) of rules to search. +.IP "-A, --allow" +Search for allow rules. +.IP "--neverallow" +Search for neverallow rules. +.IP "--auditallow" +Search for auditallow rules. +.IP "--dontaudit" +Search for dontaudit rules. +.IP "-T, --type" +Search for type_transition, type_member, and type_change rules. +.IP "--role_allow" +Search for role allow rules. +.IP "--role_trans" +Search for role_transition rules. +.IP "--range_trans" +Search for range_transition rules. +.IP "--all" +Search all rule types. +.SH EXPRESSIONS +.P +The user may specify an expression containing values for a given field(s) in a rule. +Only those fields applicable to a given rule type will be used; all other fields will be ignored. +(For example, type_transition rules will ignore the permissions field.) +If no expression is specified or if none of the specified fields apply to a given rule type, +all rules of that type are considered to match the expression. +.IP "-s NAME, --source=NAME" +Find rules with type/attribute NAME as their source. +.IP "-t NAME, --target=NAME" +Find rules with type/attribute NAME as their target. +.IP "--role_source=NAME" +Find rules with role NAME as their source. +.IP "--role_target=NAME" +Find rules with role NAME as their target. +.IP "-c NAME, --class=NAME" +Find rules with class NAME as their object class. +.IP "-p P1[,P2,...] --perm=P1[,P2...]" +Find rules with at least one of the specified permissions. +Multiple permissions may be specified as a comma separated list; +it is recommended that this list be quoted for shells that interpret comma as a special character. +.IP "-b NAME, --bool=NAME" +Find conditional rules with NAME in their conditional expression. +This option will include rules in both the true and false lists of the conditional. +.SH OPTIONS +.P +The following additional options exist to modify how the search is performed and the amount of information printed for each result. +.IP "-d, --direct" +Normally rules are matched using the type given or any of that type's +attributes (or an attribute's types). This "indirect" matching also +considers types used in complemented sets, the special set "*", and +the special target "self". When the direct flag is given, matching is +done literally. The rule must explicitly contain the given type (or +attribute) for it to be returned. +.IP "-R, --regex" +Use regular expressions to match symbol names. By default only exact +string matches will be considered. +.IP "-n, --linenum" +Print the line number for each rule. This option is ignored if using the --semantic option or if line numbers are not available for the given policy. +.IP "-S, --semantic" +Search rules semantically instead of syntactically. This option is implied for policies for which syntactic rules are not available. +.IP "-C, --show_cond" +Print the conditional expression and state for all conditional rules found. +This option has no effect on unconditional rules. +.IP "-h, --help" +Print help information and exit. +.IP "-V, --version" +Print version information and exit. +.SH AUTHOR +This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>. +.SH COPYRIGHT +Copyright(C) 2003-2008 Tresys Technology, LLC +.SH BUGS +Please report bugs via an email to setools-bugs@tresys.com. +.SH SEE ALSO +seinfo(1), apol(1) |