diff options
Diffstat (limited to 'sechecker/sechecker_help.txt')
-rw-r--r-- | sechecker/sechecker_help.txt | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/sechecker/sechecker_help.txt b/sechecker/sechecker_help.txt new file mode 100644 index 0000000..a28496a --- /dev/null +++ b/sechecker/sechecker_help.txt @@ -0,0 +1,86 @@ +SELinux Policy Checker Tool Help File + + +This file contains the basic help information for using sechecker, a +program that runs a series of policy checks (modules) on a policy. +Sechecker is designed to be extensible and configurable so that +developers can easily add new policy checks and configure them to run +in batches with different options. + +Each module analyzes a policy. If a policy is not specified on the +command line, the tool uses the system policy by default. In +addition, some checks will require the file_contexts file in order to +run correctly. If the file_contexts file is not specified, the tool +will default to using the system file_contexts file by default. + +Checks can be run one at a time on the command line (by specifying a +module) or in a batch (by specifying a profile). The user can create +a custom profile to specify which modules to run, as well as the +modules' options. + +The return value of sechecker indicates whether a check failed on the +policy. Therefore sechecker may be used in shell scripts or makefiles +to do conditional branching. + + +Report Output: +-------------- +Sechecker generates a report with the output of each module that was +run. The report includes an explanation of each module, the modules' +severity, and the modules' results. There are three output options to +specify what gets included in the report. + +1) quiet - do not print the report +2) short - print the list of results for each module +3) verbose - print the list of results for each module and the list of + proofs for each result + + +Modules: +-------- +A module encapsulates a single check on the policy. Modules may take +options from the current profile; if no profile is given then modules +will use default values. See the help for the specific module(s) to +determine the parameters that may be overridden in a profile. + +Each module has a specified severity (high, med, low). These are +defined as follows: + +1) "high": The module's results indicate an identifiable security + risk in the SELinux policy. + +2) "med": The module's results indicate a flaw in the SELinux policy + that changes the manner in which the policy is enforced; however, + it does not present an identifiable security risk. + +3) "low": The module's results indicate a flaw in the policy that + does not affect the manner in which the policy is enforced, but is + considered to be improper. + + +Profiles: +--------- +Three profiles are installed with the sechecker program: + +1) development: This profile includes several policy checks of low + and med severity. The checks are common tasks that a policy + developer will consider helpful for writing good policy. + +2) analysis: This profile includes several policy checks of med and + low severity that are of higher computational complexity than the + development profile and is not meant to be used frequently by + policy developers. + +3) all: This profile runs all known modules. + +Profiles can be created to run any set of modules with different +options. The profile can specify the output format for each module. + + +Other Options: +-------------- +The user may specify a minimum module severity to report. For +example, if the minimum severity is "med" and the "all" profile is +used, all modules that are "med" or "high" will be run and the results +for those modules will be reported by sechecker. The "low" severity +modules listed in the profile will be ignored. |