diff options
Diffstat (limited to 'man')
| -rw-r--r-- | man/Makefile.am | 19 | ||||
| -rw-r--r-- | man/apol.1 | 43 | ||||
| -rw-r--r-- | man/findcon.1 | 119 | ||||
| -rw-r--r-- | man/indexcon.1 | 36 | ||||
| -rw-r--r-- | man/replcon.1 | 102 | ||||
| -rw-r--r-- | man/seaudit-report.8.in | 38 | ||||
| -rw-r--r-- | man/seaudit.8 | 49 | ||||
| -rw-r--r-- | man/sechecker.1 | 136 | ||||
| -rw-r--r-- | man/sediff.1 | 118 | ||||
| -rw-r--r-- | man/sediffx.1 | 75 | ||||
| -rw-r--r-- | man/seinfo.1 | 109 | ||||
| -rw-r--r-- | man/sesearch.1 | 113 |
12 files changed, 957 insertions, 0 deletions
diff --git a/man/Makefile.am b/man/Makefile.am new file mode 100644 index 0000000..0fafccb --- /dev/null +++ b/man/Makefile.am @@ -0,0 +1,19 @@ +if BUILD_GUI + MAYBEMANS = apol.1 \ + seaudit.8 seaudit-report.8 \ + sediffx.1 +endif + +EXTRA_DIST=$(man_MANS) apol.1 \ + seaudit.8 seaudit-report.8.in \ + sediffx.1 + +man_MANS = findcon.1 indexcon.1 replcon.1 \ + sechecker.1 \ + sediff.1 \ + seinfo.1 sesearch.1 $(MAYBEMANS) + +seaudit-report.8: seaudit-report.8.in Makefile + sed -e 's|\@setoolsdir\@|$(setoolsdir)|g' $< > $@ + +CLEANFILES = seaudit-report.8 diff --git a/man/apol.1 b/man/apol.1 new file mode 100644 index 0000000..c8cdb91 --- /dev/null +++ b/man/apol.1 @@ -0,0 +1,43 @@ +.TH apol 1 +.SH NAME +apol \- SELinux policy analysis tool +.SH SYNOPSIS +.B apol +[OPTIONS] [POLICY ...] +.SH DESCRIPTION +.PP +.B apol +is a graphical tool that allows the user to inspect aspects of a SELinux policy. +The tool allows the user to browse policy components (types, classes, roles, users, etc.), rules (TE, RBAC, MLS), and file system contexts. +The tool also provides in depth analyses of domain transitions, information flows, and relabeling permissions. +.SH POLICY +.PP +.B +apol +supports loading a SELinux policy in one of four formats. +.IP "source" +A single text file containing policy source for versions 12 through 21. This file is usually named policy.conf. +.IP "binary" +A single file containing a monolithic kernel binary policy for versions 15 through 21. This file is usually named by version - for example, policy.20. +.IP "modular" +A list of policy packages each containing a loadable policy module. The first module listed must be a base module. +.IP "policy list" +A single text file containing all the information needed to load a policy, usually exported by SETools graphical utilities. +.PP +If a policy is not given on the command line then +.B +apol +will begin with none loaded. +.SH OPTIONS +.IP "-h, --help" +Print help information and exit. +.IP "-V, --version" +Print version information and exit. +.SH AUTHOR +This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>. +.SH COPYRIGHT +Copyright(C) 2001-2007 Tresys Technology, LLC +.SH BUGS +Please report bugs via an email to setools-bugs@tresys.com. +.SH SEE ALSO +seinfo(1), sesearch(1), sechecker(1), indexcon(1) diff --git a/man/findcon.1 b/man/findcon.1 new file mode 100644 index 0000000..e7bf825 --- /dev/null +++ b/man/findcon.1 @@ -0,0 +1,119 @@ +.TH findcon 1 +.SH NAME +findcon \- SELinux file context search tool +.SH SYNOPSIS +.B findcon +FCLIST [OPTIONS] [EXPRESSION] +.SH DESCRIPTION +.PP +.B findcon +allows the user to search for files with a specified context. +Results can be filtered by object class as described below. +.SH FCLIST +The +.B findcon +tool operates upon a file context list source. There are three valid +file context lists. +.IP directory +If +.B FCLIST +is a name of a directory then begin the search at that directory and +recurse within it. Be sure there are no circular mounts within it. +.IP file_contexts +If +.B FCLIST +is the name of a file_contexts file (e.g., +/etc/selinux/strict/contexts/files/file_contexts) then open that file +and find matching entries. +.IP database +If +.B FCLIST +is the name of a database as created by a previous run of +.B indexcon +or +.B apol +then open the database and execute queries into it. +.SH EXPRESSION +.P +The following options allow the user to specify which files to print. +A file must meet all specified criteria. +If no expression is provided, all files are printed. +.IP "-t TYPE, --type=TYPE" +Search for files with a context containing the type TYPE. +.IP "-u USER, --user=USER" +Search for files with a context containing the user USER. +.IP "-r ROLE, --role=ROLE" +Search for files with a context containing the role ROLE. +.IP "-m RANGE, --mls-range=RANGE" +Search for files with a context with the MLS range of RANGE. Note +that +.B findcon +ignores the SELinux translation library, if present. In addition, +this flag is ignored if the +.B FCLIST +has no MLS information. +.IP "--context=CONTEXT" +Search for files matching this partial context. This flag overrides +-t, -u, -r, and -m. +.IP "-p PATH, --path=PATH" +Search for files which include PATH. +.IP "-c CLASS, --class=CLASS" +Search only files of object class CLASS. +.SH OPTIONS +The following additional options are available. +.IP "-R, --regex" +Search using regular expressions instead of exact string matching. +This option does not affect the --class flag. +.IP "-h, --help" +Print help information and exit. +.IP "-V, --version" +Print version information and exit. +.SH PARTIAL CONTEXT +The +.B --context +flag specifies a partial context, which is a a colon separated list of +user, role, and type. If the system supports MLS, the context may +have a fourth field that gives the range. If a field is not specified +or is the literal asterisk, then the query will always match the field. +.SH OBJECT CLASSES +Valid object class strings are +.PP +block, +char, +dir, +fifo, +file, +link, or +sock. +.SH NOTE +The findcon utility always operates on "raw" SELinux file contexts. +If the system has an installed translation library (i.e., libsetrans), +those translations are ignored in favor of reading the original +contexts from the filesystem (if FCFILE is a directory). +.SH EXAMPLES +.TP +.B findcon . +Find every context in the current directory and all of its +subdirectories. +.TP +.B findcon -u user_u . +Find every context whose user is user_u in the current directory and +all subdirectories. +.TP +.B findcon -u system_u -t bin_t file_contexts +Find entries user system_u and type bin_t within a file_contexts file, +assuming that file_contexts is a file contexts file. +.TP +.B findcon --context=system_u::bin_t file_contexts +This is equivalent to the previous example. +.TP +.B findcon --context=system_u:*:bin_t:* file_contexts +This is also equivalent to the above example. +.SH AUTHOR +This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>. +.SH COPYRIGHT +Copyright(C) 2003-2007 Tresys Technology, LLC +.SH BUGS +Please report bugs via an email to setools-bugs@tresys.com. +.SH SEE ALSO +replcon(1), indexcon(1) diff --git a/man/indexcon.1 b/man/indexcon.1 new file mode 100644 index 0000000..6ecbbf4 --- /dev/null +++ b/man/indexcon.1 @@ -0,0 +1,36 @@ +.TH indexcon 1 +.SH NAME +indexcon \- SELinux file context indexing tool +.SH SYNOPSIS +.B indexcon +FILE [OPTIONS] +.SH DESCRIPTION +.PP +.B indexcon +allows the user to index the file contexts on a SELinux system, +beginning with the root directory ( +.B +/ +) and recursing into subdirectories. +The index will be written to FILE. +The index can be searched using apol or findcon. +.SH OPTIONS +.IP "-d DIR, --directory=DIR" +Start scanning at directory DIR, and recurse through its subdirectories. +.IP "-h, --help" +Print help information and exit. +.IP "-V, --version" +Print version information and exit. +.SH NOTE +The indexcon utility always operates on "raw" SELinux file contexts. +If the system has an installed translation library (i.e., libsetrans), +those translations are ignored in favor of reading the original +contexts from the filesystem. +.SH AUTHOR +This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>. +.SH COPYRIGHT +Copyright(C) 2003-2007 Tresys Technology, LLC +.SH BUGS +Please report bugs via an email to setools-bugs@tresys.com. +.SH SEE ALSO +apol(1), findcon(1) diff --git a/man/replcon.1 b/man/replcon.1 new file mode 100644 index 0000000..8aca08a --- /dev/null +++ b/man/replcon.1 @@ -0,0 +1,102 @@ +.TH replcon 1 +.SH NAME +replcon \- SELinux file context replacement tool +.SH SYNOPSIS +.B replcon +NEW_CONTEXT DIR [OPTIONS] [EXPRESSION] +.SH DESCRIPTION +.PP +.B replcon +allows the user to find and replace file contexts. +Replacements can be filtered by object class as described below. +.SH REQUIRED ARGUMENTS +.IP NEW_CONTEXT +The replacement context as expressed as a partial context, described +below. +.IP DIR +Initial directory to begin searching. The tool will recurse into any +subdirectories, so be sure there are no circular mounts within it. +.SH EXPRESSION +.P +The following options allow the user to specify which files to find. +A file must meet all specified criteria for its context to be +replaced. If no expression is provided, all files' contexts are +replaced. +.IP "-t TYPE, --type=TYPE" +Search for files with a context containing the type TYPE. +.IP "-u USER, --user=USER" +Search for files with a context containing the user USER. +.IP "-r ROLE, --role=ROLE" +Search for files with a context containing the role ROLE. +.IP "-m RANGE, --mls-range=RANGE" +Search for files with a context with the MLS range of RANGE. Note +that +.B replcon +ignores the SELinux translation library, if present. In addition, +this flag is ignored if +.B DIR +has no MLS information. +.IP "--context=CONTEXT" +Search for files matching this partial context. This flag overrides +-t, -u, -r, and -m. +.IP "-p PATH, --path=PATH" +Search for files which include PATH. +.IP "-c CLASS, --class=CLASS" +Search only files of object class CLASS. +.SH OPTIONS +.IP "-v, --verbose" +Display context info during replacement. +.IP "-h, --help" +Print help information and exit. +.IP "-V, --version" +Print version information and exit. +.SH PARTIAL CONTEXT +The +.B --context +flag and +.B NEW_CONTEXT +argument specify a partial context, which is a a colon separated list +of user, role, and type. If the system supports MLS, the context may +have a fourth field that gives the range. With +.B --context +if a field is not specified or is the literal asterisk, then the query +will always match the field. With +.B NEW_CONTEXT +if a field is not specified or is the literal asterisk, then that +portion of the context will not be modified. +.SH OBJECT CLASSES +Valid object class strings are +.PP +block, +char, +dir, +fifo, +file, +link, or +sock. +.SH NOTE +The replcon utility always operates on "raw" SELinux file contexts. +If the system has an installed translation library (i.e., libsetrans), +those translations are ignored in favor of reading the original +contexts from the filesystem. +.SH EXAMPLES +.TP +.B replcon ::type_t: . +Replace every context's type in the current directory with type_t. +The user and role portion remain unchanged. +.TP +.B replcon -u user_u *:role_r:* . +Replace every context's role with user user_u in the current directory +with role_r. The user and type portion remain unchanged. +.TP +.B replcon --context ::type_t:s0 :::s0:c0 /tmp +Replace every context with type type_t and MLS range s0 in /tmp +with MLS range s0:c0. +.SH AUTHOR +This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>. +.SH COPYRIGHT +Copyright(C) 2003-2007 Tresys Technology, LLC +.SH BUGS +Please report bugs via an email to setools-bugs@tresys.com. +.SH SEE ALSO +findcon(1), indexcon(1) diff --git a/man/seaudit-report.8.in b/man/seaudit-report.8.in new file mode 100644 index 0000000..f4c5f4f --- /dev/null +++ b/man/seaudit-report.8.in @@ -0,0 +1,38 @@ +.TH seaudit-report 8 +.SH NAME +seaudit-report \- SELinux audit log reporting tool +.SH SYNOPSIS +.B seaudit-report +[OPTIONS] LOGFILE ... +.SH DESCRIPTION +.PP +.B seaudit-report +allows the user to generate custom audit log reports from the command line or by integration with the Logwatch tool. +.SH OPTIONS +.IP "-s, --stdin" +Read log data from standard input instead of from a file. +File(s) specified on the command line will be ignored. +.IP "-m, --malformed" +Include malformed log messages in generated report. +.IP "-o FILE, --output=FILE" +Write output to FILE instead of standard output. +.IP "-c FILE, --config=FILE" +Read configuration options from FILE instead of the default config file. +.IP "--html" +Set output format to HTML instead of plain text. +.IP "--stylesheet=FILE" +Specify the HTML stylesheet to use for formatting the HTML report. +This option is ignored if --html is not given. +See the default styesheet for an example (installed at @setoolsdir@/seaudit-report.css). +.IP "-V, --version" +Print version information and exit. +.IP "-h, --help" +Print help information and exit. +.SH AUTHOR +This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>. +.SH COPYRIGHT +Copyright(C) 2004-2007 Tresys Technology, LLC +.SH BUGS +Please report bugs via an email to setools-bugs@tresys.com. +.SH SEE ALSO +seaudit(8) diff --git a/man/seaudit.8 b/man/seaudit.8 new file mode 100644 index 0000000..1c3eb2e --- /dev/null +++ b/man/seaudit.8 @@ -0,0 +1,49 @@ +.TH seaudit 8 +.SH NAME +seaudit \- SELinux graphical audit log analysis tool +.SH SYNOPSIS +.B seaudit +[OPTIONS] [POLICY ...] +.SH DESCRIPTION +.PP +.B seaudit +allows the user to view and filter the contents of a log file. +.B seaudit +supports the syslog and auditd log formats and provides queries to inspect the SELinux policy based on log messages. +.SH POLICY +.PP +.B +seaudit +supports loading a SELinux policy in one of four formats. +.IP "source" +A single text file containing policy source for versions 12 through 21. This file is usually named policy.conf. +.IP "binary" +A single file containing a monolithic kernel binary policy for versions 15 through 21. This file is usually named by version - for example, policy.20. +.IP "modular" +A list of policy packages each containing a loadable policy module. The first module listed must be a base module. +.IP "policy list" +A single text file containing all the information needed to load a policy, usually exported by SETools graphical utilities. +.PP +If no policy file is provided, +.B +seaudit +will search for the system default policy: checking first for a source policy, next for a binary policy matching the running kernel's preferred version, and finally for the highest version that can be found. +If no policy can be found, +.B +seaudit +will begin with no policy loaded. +.SH OPTIONS +.IP "-l FILE, --log=FILE" +Upon startup, open the log FILE instead of the system log file. +.IP "-h, --help" +Print help information and exit. +.IP "-V, --version" +Print version information and exit. +.SH AUTHOR +This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>. +.SH COPYRIGHT +Copyright(C) 2006-2007 Tresys Technology, LLC +.SH BUGS +Please report bugs via an email to setools-bugs@tresys.com. +.SH SEE ALSO +seaudit-report(8) diff --git a/man/sechecker.1 b/man/sechecker.1 new file mode 100644 index 0000000..ecc2a07 --- /dev/null +++ b/man/sechecker.1 @@ -0,0 +1,136 @@ +.TH sechecker 1 +.SH NAME +sechecker \- SELinux policy checking tool +.SH SYNOPSIS +.B sechecker +[OPTIONS] -p profile [POLICY ...] +.br +.B sechecker +[OPTIONS] -m module [POLICY ...] +.br +.B sechecker +[OPTIONS] -p profile -m module [POLICY ...] +.SH DESCRIPTION +.PP +.B sechecker +allows the user to perform predefined modular checks on a SELinux policy. +Profiles exist to group modules together and allow modification of module settings (see below). +.SH POLICY +.PP +.B +sechecker +supports loading a SELinux policy in one of four formats. +.IP "source" +A single text file containing policy source for versions 12 through 21. This file is usually named policy.conf. +.IP "binary" +A single file containing a monolithic kernel binary policy for versions 15 through 21. This file is usually named by version - for example, policy.20. +.IP "modular" +A list of policy packages each containing a loadable policy module. The first module listed must be a base module. +.IP "policy list" +A single text file containing all the information needed to load a policy, usually exported by SETools graphical utilities. +.PP +If no policy file is provided, +.B +sechecker +will search for the system default policy: checking first for a source policy, next for a binary policy matching the running kernel's preferred version, and finally for the highest version that can be found. +In the latter case, the policy will be downgraded to match the running system. +If no policy can be found, +.B +sechecker +will print an error message and exit. +.SH OPTIONS +.IP "-p PROFILE, --profile=PROFILE" +Load module settings from a module profile. +The settings in the profile will override the default settings for all specified modules. +If specified without -m, run all modules in the profile. +PROFILE may either be the name of a known profile (see --list) or the path to a user created profile. +see PROFILE OPTIONS below for more information about creating profiles. +.IP "-m MODULE, --module=MODULE" +Run only the module named MODULE (see --list). +.IP "--min-sev=SEVERITY" +Report only results with the minimum severity of SEVERITY. +SEVERITY must have one of the following values: +.RS +.IP "low" +The module's results indicate a flaw in the policy that does not affect the manner in which the policy is enforced, but is considered to be improper. +.IP "med" +The module's results indicate a flaw in the policy that changes the manner in which the policy is enforced; however, it does not present an identifiable security risk. +.IP "high" +The module's results indicate a flaw in the policy that presents an identifiable security risk. +.RE +.IP "--fcfile=FILE" +Use FILE for the file_contexts file instead of the system default. +This flag is only applicable if sechecker was configured with the +.B +--enable-sefs +flag. +.IP "-l, --list" +Print a list of the name and a brief description of all known profiles and modules and exit. +.IP "-h[MODULE], --help[=MODULE]" +Print general help information and exit. +If MODULE is provided, print help information for the module named MODULE and exit. +.IP "-V, --version" +Print version information and exit. +.SS REPORT GENERATION OPTIONS +.P +Only one of the following may be provided to specify the length of the report for all modules. +If provided, this option overrides both profile and module default output settings. +.IP "-q, --quiet" +suppress output +.IP "-s, --short" +print short output +.IP "-v, --verbose" +print verbose output +.SH PROFILE OPTIONS +Profiles are used to group modules together, to specify the output format for each module in the report, and to provide the ability to override the modules' default options. Each profile is a well-formed XML document, as specified by the DTD installed with sechecker. An example profile follows: +.PP +<sechecker version="1.1"> +.br + <profile> +.br + <module name="find_domains"> +.br + <output value="quiet"/> +.br + <option name="domain_attribute"> +.br + <item value="domain"/> +.br + <item value="user_domain"/> +.br + ... +.br + </option> +.br + </module> +.br + ... +.br + </profile> +.br +</sechecker> +.PP +The example profile specifies the output property for the find_domains module. +The example profile also overrides the default value for the "domain_attribute" option in the find_domains module. +.SS PROFILE OUTPUT OPTIONS +The valid output values for each module are specified below: +.IP "verbose" +Print each result in the report with accompanying proof(s). +.IP "short" +Print a list of results with no accompanying proof. +.IP "none" +Do not print output from this module in the report; however, module errors will still be printed. +.IP "quiet" +Do not print output from this module in the report and do not print errors. This is useful for utility modules for which the calling module handles any errors. +.SS PROFILE MODULE OPTIONS +Several modules provide one or more options that can be set from a profile. +Each option has one or more items. +To check what options are available for a module use --help=MODULE, where MODULE is the name of the module as printed by --list. +.SH AUTHOR +This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>. +.SH COPYRIGHT +Copyright(C) 2005-2008 Tresys Technology, LLC +.SH BUGS +Please report bugs via an email to setools-bugs@tresys.com. +.SH SEE ALSO +apol(1) diff --git a/man/sediff.1 b/man/sediff.1 new file mode 100644 index 0000000..ef4f3a9 --- /dev/null +++ b/man/sediff.1 @@ -0,0 +1,118 @@ +.TH sediff 1 +.SH NAME +sediff \- SELinux policy difference tool +.SH SYNOPSIS +.B sediff +[OPTIONS] [EXPRESSION] ORIGINAL_POLICY ; MODIFIED_POLICY +.SH DESCRIPTION +.PP +.B sediff +allows the user to inspect the semantic differences between two SELinux policies. +.SH POLICY +.PP +.B +sediff +supports loading SELinux policies in one of four formats. +.IP "source" +A single text file containing policy source for versions 12 through 21. This file is usually named policy.conf. +.IP "binary" +A single file containing a monolithic kernel binary policy for versions 15 through 21. This file is usually named by version - for example, policy.20. +.IP "modular" +A list of policy packages each containing a loadable policy module. The first module listed must be a base module. +.IP "policy list" +A single text file containing all the information needed to load a policy, usually exported by SETools graphical utilities. +.PP +Policies do not need to be the same format. If not provided +.B +sediff +will print an error message and exit. +.SH EXPRESSIONS +.P +The user may specify an expression listing the policy elements to differentiate. +If not provided, all supported policy elements sans neverallows are examined. +.IP "-c, --class" +Find differences in permissions assigned to object classes and common permission sets. +.IP "--level" +Find differences in categories authorized for MLS levels. +.IP "--category" +Find differences in category definitions. +.IP "-t, --type" +Find differences in attributes associated with types. +.IP "-a, --attribute" +Find differences in types assigned to attributes. +.IP "-r, --role" +Find differences in types authorized for roles. +.IP "-u, --user" +Find differences in roles authorized for users. +.IP "-b, --bool" +Find differences in the default values of booleans. +.IP "-A, --allow" +Find differences in allow rules. +.IP "--auditallow" +Find differences in auditallow rules. +.IP "--dontaudit" +Find differences in dontaudit rules. +.IP "--neverallow" +Find differences in neverallow rules. +.IP "--type_trans" +Find differences in type_transition rules. +.IP "--type_member" +Find differences in type_member rules. +.IP "--type_change" +Find differences in type_change rules. +.IP "--role_trans" +Find differences in role_transition rules. +This includes differences in the default role. +.IP "--role_allow" +Find differences in role allow rules. +.IP "--range_trans" +Find differences in range_transition rules. This includes differences +in the target MLS range. +.SH OPTIONS +.IP "-q, --quiet" +If there are no differences for elements of a given kind, +suppress status output for that kind of element. +.IP "--stats" +Print difference statistics only. +.IP "-h, --help" +Print help information and exit. +.IP "-V, --version" +Print version information and exit. +.SH DIFFERENCES +.PP +.B +sediff +categorizes differences in policy elements into one of three forms. +.RS +.IP "added" +The element exists only in the modified policy. +.IP "removed" +The element exists only in the original policy. +.IP "modified" +The element exists in both policies but its semantic meaning has changed. +For example, a class is modified if one or more permissions are added or removed. +.RE +.PP +For all rules with types as their source or target, two additional forms of difference are recognized. +This helps distinguish differences due to new types from differences in rules for existing types. +.RS +.IP "added, new type" +The rule exists only in the modified policy; +furthermore, one or more of the types in the rule do not exist in the original policy. +.IP "removed, missing type" +The rule exists only in the original policy; +furthermore, one or more of the types in the rule do not exist in the modified policy. +.RE +.SH NOTE +Most shells interpret the semicolon as a metacharacter, thus requiring +a backslash like so: +.B +sediff original.policy \\; modified.policy +.SH AUTHOR +This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>. +.SH COPYRIGHT +Copyright(C) 2004-2007 Tresys Technology, LLC +.SH BUGS +Please report bugs via an email to setools-bugs@tresys.com. +.SH SEE ALSO +sediffx(1) diff --git a/man/sediffx.1 b/man/sediffx.1 new file mode 100644 index 0000000..d2ab486 --- /dev/null +++ b/man/sediffx.1 @@ -0,0 +1,75 @@ +.TH sediffx 1 +.SH NAME +sediffx \- graphical SELinux policy difference tool +.SH SYNOPSIS +.B sediffx +[\-d] [ORIGINAL_POLICY ; MODIFIED_POLICY] +.SH DESCRIPTION +.PP +.B sediffx +allows the user to graphically inspect the semantic differences between two SELinux policies. +All supported policy elements are examined. +.SH POLICY +.PP +.B +sediffx +supports loading SELinux policies in one of four formats. +.IP "source" +A single text file containing policy source for versions 12 through 21. This file is usually named policy.conf. +.IP "binary" +A single file containing a monolithic kernel binary policy for versions 15 through 21. This file is usually named by version - for example, policy.20. +.IP "modular" +A list of policy packages each containing a loadable policy module. The first module listed must be a base module. +.IP "policy list" +A single text file containing all the information needed to load a policy, usually exported by SETools graphical utilities. +.PP +Policies do not need to be the same format. If not provided +.B +sediffx +will begin with no policies loaded. +.SH OPTIONS +.IP "-d, --diff-now" +Load the policies and differentiate them immediately. +This option requires the user to specify the policies on the command line. +.IP "-h, --help" +Print help information and exit. +.IP "-V, --version" +Print version information and exit. +.SH DIFFERENCES +.PP +.B +sediffx +categorizes differences in policy elements into one of three forms. +.RS +.IP "added" +The element exists only in the modified policy. +.IP "removed" +The element exists only in the original policy. +.IP "modified" +The element exists in both policies but its semantic meaning has changed. +For example, a class is modified if one or more permissions are added or removed. +.RE +.PP +For all rules with types as their source or target, two additional forms of difference are recognized. +This helps distinguish differences due to new types from differences in rules for existing types. +.RS +.IP "added, new type" +The rule exists only in the modified policy; +furthermore, one or more of the types in the rule do not exist in the original policy. +.IP "removed, missing type" +The rule exists only in the original policy; +furthermore, one or more of the types in the rule do not exist in the modified policy. +.RE +.SH NOTE +Most shells interpret the semicolon as a metacharacter, thus requiring +a backslash like so: +.B +sediffx original.policy \\; modified.policy +.SH AUTHOR +This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>. +.SH COPYRIGHT +Copyright(C) 2005-2007 Tresys Technology, LLC +.SH BUGS +Please report bugs via an email to setools-bugs@tresys.com. +.SH SEE ALSO +sediff(1) diff --git a/man/seinfo.1 b/man/seinfo.1 new file mode 100644 index 0000000..8612119 --- /dev/null +++ b/man/seinfo.1 @@ -0,0 +1,109 @@ +.TH seinfo 1 +.SH NAME +seinfo \- SELinux policy query tool +.SH SYNOPSIS +.B seinfo +[OPTIONS] [EXPRESSION] [POLICY ...] +.SH DESCRIPTION +.PP +.B seinfo +allows the user to query the components of a SELinux policy. +.SH POLICY +.PP +.B +seinfo +supports loading a SELinux policy in one of four formats. +.IP "source" +A single text file containing policy source for versions 12 through 21. This file is usually named policy.conf. +.IP "binary" +A single file containing a monolithic kernel binary policy for versions 15 through 21. This file is usually named by version - for example, policy.20. +.IP "modular" +A list of policy packages each containing a loadable policy module. The first module listed must be a base module. +.IP "policy list" +A single text file containing all the information needed to load a policy, usually exported by SETools graphical utilities. +.PP +If no policy file is provided, +.B +seinfo +will search for the system default policy: checking first for a source policy, next for a binary policy matching the running kernel's preferred version, and finally for the highest version that can be found. +In the latter case, the policy will be downgraded to match the running system. +If no policy can be found, +.B +seinfo +will print an error message and exit. +.SH EXPRESSIONS +.P +One or more of the following component types can be queried. Each option may only be specified once. +If an option is provided multiple times, the last instance will be used. Some components support the -x flag to print expanded information +about that component; if a particular component specified does not support expanded information, +the flag will be ignored for that component (see -x below). If no expressions are provided, policy statistics will be printed (see --stats below). +.IP "-c[NAME], --class[=NAME]" +Print a list of object classes or, if NAME is provided, print the object class NAME. +With -x, print a list of permissions for each displayed object class. +.IP "--sensitivity[=NAME]" +Print a list of sensitivities or, if NAME is provided, print the sensitivity NAME. +With -x, print the corresponding level statement for each displayed sensitivity. +.IP "--category[=NAME]" +Print a list of categories or, if NAME is provided, print the category NAME. +With -x, print a list of sensitivities with which each displayed category may be associated. +.IP "-t[NAME], --type[=NAME]" +Print a list of types (not including aliases or attributes) or, if NAME is provided, print the type NAME. +With -x, print a list of attributes which include each displayed type. +.IP "-a[NAME], --attribute[=NAME]" +Print a list of type attributes or, if NAME is provided, print the attribute NAME. +With -x, print a list of types assigned to each displayed attribute. +.IP "-r[NAME], --role[=NAME]" +Print a list of roles or, if NAME is provided, print the role NAME. +With -x, print a list of types assigned to each displayed role. +.IP "-u[NAME], --user[=NAME]" +Print a list of users or, if NAME is provided, print the user NAME. +With -x, print a list of roles assigned to each displayed user. +.IP "-b[NAME], --bool[=NAME]" +Print a list of conditional booleans or, if NAME is provided, print the boolean NAME. +With -x, print the default state of each displayed conditional boolean. +.IP "--initialsid[=NAME]" +Print a list of initial SIDs or, if NAME is provided, print the initial SID NAME. +With -x, print the context assigned to each displayed SID. +.IP "--fs_use[=TYPE]" +Print a list of fs_use statements or, if TYPE is provided, print the statement for filesystem TYPE. +There is no expanded information for this component. +.IP "--genfscon[=TYPE]" +Print a list of genfscon statements or, if TYPE is provided, print the statement for the filesystem TYPE. +There is no expanded information for this component. +.IP "--netifcon[=NAME]" +Print a list of netif contexts or, if NAME is provided, print the statement for interface NAME. +There is no expanded information for this component. +.IP "--nodecon[=ADDR]" +Print a list of node contexts or, if ADDR is provided, print the statement for the node with address ADDR. +There is no expanded information for this component. +.IP "--portcon[=PORT]" +Print a list of port contexts or, if PORT is provided, print the statement for port PORT. +There is no expanded information for this component. +.IP "--protocol=PROTO" +Print only portcon statements for the protocol PROTO. This option is ignored if portcon statements are not printed or if no statement exists for the requested port. +.IP "--constrain" +Print a list of constraints. +There is no expanded information for this component. +.IP "--all" +Print all components. +.SH OPTIONS +.IP "-x, --expand" +Print additional details for each component matching the expression. +These details include the types assigned to an attribute or role and the permissions for an object class. +This option is not available for all component types; see the description of each component for the details this option will provide. +.IP "--stats" +Print policy statistics including policy type and version information and counts of all components and rules. +.IP "-l" +Print line breaks when displaying constraint statements. +.IP "-h, --help" +Print help information and exit. +.IP "-V, --version" +Print version information and exit. +.SH AUTHOR +This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>. +.SH COPYRIGHT +Copyright(C) 2003-2010 Tresys Technology, LLC +.SH BUGS +Please report bugs via an email to setools-bugs@tresys.com. +.SH SEE ALSO +sesearch(1), apol(1) diff --git a/man/sesearch.1 b/man/sesearch.1 new file mode 100644 index 0000000..d002faf --- /dev/null +++ b/man/sesearch.1 @@ -0,0 +1,113 @@ +.TH sesearch 1 +.SH NAME +sesearch \- SELinux policy query tool +.SH SYNOPSIS +.B sesearch +[OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPRESSION] [POLICY ...] +.SH DESCRIPTION +.PP +.B sesearch +allows the user to search the rules in a SELinux policy. +.SH POLICY +.PP +.B +sesearch +supports loading a SELinux policy in one of four formats. +.IP "source" +A single text file containing policy source for versions 12 through 21. This file is usually named policy.conf. +.IP "binary" +A single file containing a monolithic kernel binary policy for versions 15 through 21. This file is usually named by version - for example, policy.20. +.IP "modular" +A list of policy packages each containing a loadable policy module. The first module listed must be a base module. +.IP "policy list" +A single text file containing all the information needed to load a policy, usually exported by SETools graphical utilities. +.PP +If no policy file is provided, +.B +sesearch +will search for the system default policy: checking first for a source policy, next for a binary policy matching the running kernel's preferred version, and finally for the highest version that can be found. +In the latter case, the policy will be downgraded to match the running system. +If no policy can be found, +.B +sesearch +will print an error message and exit. +.SH RULE TYPE OPTIONS +.P +.B +sesearch +is capable of searching multiple types of rules. At least one of the following +must be provided to specify the desired type(s) of rules to search. +.IP "-A, --allow" +Search for allow rules. +.IP "--neverallow" +Search for neverallow rules. +.IP "--auditallow" +Search for auditallow rules. +.IP "--dontaudit" +Search for dontaudit rules. +.IP "-T, --type" +Search for type_transition, type_member, and type_change rules. +.IP "--role_allow" +Search for role allow rules. +.IP "--role_trans" +Search for role_transition rules. +.IP "--range_trans" +Search for range_transition rules. +.IP "--all" +Search all rule types. +.SH EXPRESSIONS +.P +The user may specify an expression containing values for a given field(s) in a rule. +Only those fields applicable to a given rule type will be used; all other fields will be ignored. +(For example, type_transition rules will ignore the permissions field.) +If no expression is specified or if none of the specified fields apply to a given rule type, +all rules of that type are considered to match the expression. +.IP "-s NAME, --source=NAME" +Find rules with type/attribute NAME as their source. +.IP "-t NAME, --target=NAME" +Find rules with type/attribute NAME as their target. +.IP "--role_source=NAME" +Find rules with role NAME as their source. +.IP "--role_target=NAME" +Find rules with role NAME as their target. +.IP "-c NAME, --class=NAME" +Find rules with class NAME as their object class. +.IP "-p P1[,P2,...] --perm=P1[,P2...]" +Find rules with at least one of the specified permissions. +Multiple permissions may be specified as a comma separated list; +it is recommended that this list be quoted for shells that interpret comma as a special character. +.IP "-b NAME, --bool=NAME" +Find conditional rules with NAME in their conditional expression. +This option will include rules in both the true and false lists of the conditional. +.SH OPTIONS +.P +The following additional options exist to modify how the search is performed and the amount of information printed for each result. +.IP "-d, --direct" +Normally rules are matched using the type given or any of that type's +attributes (or an attribute's types). This "indirect" matching also +considers types used in complemented sets, the special set "*", and +the special target "self". When the direct flag is given, matching is +done literally. The rule must explicitly contain the given type (or +attribute) for it to be returned. +.IP "-R, --regex" +Use regular expressions to match symbol names. By default only exact +string matches will be considered. +.IP "-n, --linenum" +Print the line number for each rule. This option is ignored if using the --semantic option or if line numbers are not available for the given policy. +.IP "-S, --semantic" +Search rules semantically instead of syntactically. This option is implied for policies for which syntactic rules are not available. +.IP "-C, --show_cond" +Print the conditional expression and state for all conditional rules found. +This option has no effect on unconditional rules. +.IP "-h, --help" +Print help information and exit. +.IP "-V, --version" +Print version information and exit. +.SH AUTHOR +This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>. +.SH COPYRIGHT +Copyright(C) 2003-2008 Tresys Technology, LLC +.SH BUGS +Please report bugs via an email to setools-bugs@tresys.com. +.SH SEE ALSO +seinfo(1), apol(1) |