Provided by: setools_4.4.3-1_amd64 bug

NAME

       seinfoflow - Information flow analysis for SELinux policies

SYNOPSIS

       seinfoflow [OPTIONS] -m MAP -s SOURCE [-t TARGET (-S|-A LIMIT)] [EXCLUDE [EXCLUDE ...]]

DESCRIPTION

       seinfoflow  is  a  command  line  tool  that  allows  the user to perform information flow
       analyses on an SELinux policy.

POLICY

       A single file containing a binary policy. This file is usually named by version  on  Linux
       systems,  for  example, policy.30. This file is usually named sepolicy on Android systems.
       If no policy file is provided, seinfoflow will  search  for  the  policy  running  on  the
       current  system.  If  no  policy  can be found, seinfoflow will print an error message and
       exit.

PERMISSION MAP

       A file containing mappings of object permissions for object classes.  These  mappings  are
       the  basis  on how to compute the infoflow between types.  On Debian a standard permission
       map   can   be   found   when   the   package    python3-sepolgen    is    installed    at
       /var/lib/sepolgen/perm_map.

OPTIONS

   Analysis Settings
       -p POLICY
              Specify the policy to analyze. If none is specified, seinfoflow will search for the
              policy running on the current system.

       -m MAP Specify the path to the  permission  map  file  to  use  in  the  information  flow
              analysis.

       -s SOURCE
              Specify the source type to use in the information flow analysis.

       -t TARGET
              Specify  the target type to use in the information flow analysis. Using this option
              will also require specifying an analysis algorithm.

   Analysis Algorithms
       seinfoflow uses graph algorithms to analyze the  information  flow  paths  of  an  SELinux
       policy.   The following algorithms are options for determining paths from a source type to
       a target type.

       -S     Print the shortest information flow path(s) from the  source  type  to  the  target
              type.  If multiple paths have the same length, all will be displayed.

       -A LIMIT
              Print  all  information  flow  path(s)  up  to  LIMIT steps long.  Depending on the
              connectiveness of the policy, a limit of 5 or more may be extremely expensive.

   Analysis Options
       -w MIN_WEIGHT
              Specify the minimum permission weight to consider  for  the  analysis  (1-10).  The
              default is 3.

       -l LIMIT_FLOWS
              Specify  the  maximum  number  of  information  flows  to  output.  The  default is
              unlimited.

       EXCLUDE
              A space-separated list of types to exclude from the analysis.

   General Options
       -r, --reverse
              Display information flows into the source type. No  effect  if  a  target  type  is
              specified.

       --stats
              Print information flow graph statistics at the end of the analysis.

       -h, --help
              Print help information and exit.

       --full Print full rule lists for information flows.

       --version
              Print version information and exit.

       -v, --verbose
              Print additional informational messages.

       --debug
              Enable debugging output.

EXAMPLE

       Show the shortest paths for process running as httpd_t to access user home files, using the default permission map:
       # seinfoflow -s httpd_t -t user_home_t -S
       List all data paths shorter than 3 steps from smbd_t to httpd_log_t, when samba_enable_home_dirs and samba_create_home_dirs booleans are enabled
       # seinfoflow -s smbd_t -t user_home_t -A 3 -b "samba_enable_home_dirs:true,samba_create_home_dirs:true"

AUTHOR

       Chris PeBenito <pebenito@ieee.org>

BUGS

       Please        report       bugs       via       the       SETools       bug       tracker,
       https://github.com/SELinuxProject/setools/issues

SEE ALSO

       apol(1), sediff(1), sedta(1), seinfo(1), sesearch(1)