Provided by: setools_4.4.0-1build1_amd64 bug

NAME

       sechecker - Configuration-driven automated SELinux policy analysis

SYNOPSIS

       sechecker [OPTIONS] config.ini [POLICY]

DESCRIPTION

       sechecker  is  an  automated SELinux policy analysis tool. It uses a configuration file to
       define one or more analysis checks.

POLICY

       A single file containing a binary policy. This file is usually named by version  on  Linux
       systems,  for  example, policy.30. This file is usually named sepolicy on Android systems.
       If not provided, sechecker will attempt to locate and open the current policy  running  on
       the system.

OPTIONS

       -o <path>
              Output the results to the specified path instead of stdout.

       -h, --help
              Print help information and exit.

       --version
              Print version information and exit.

       -v, --verbose
              Print additional informational messages.

       --debug
              Enable debugging output.

RETURN CODES

       sechecker has the following return codes:

       0      All checks passed.

       1      One or more checks failed.

       2      Error in the configuration file.

       3      Other errors, such as policy open error.

CONFIGURATION FILE

       The configuration file is in the .ini format. Each section is considered a check, with the
       configuration section name being the name of the check.  All  checks  have  the  following
       options:

       check_type = <name>
              This selects the type of test be be used in this check.  This is required.

       desc = <text>
              This is an optional text field.  If set, the contents are printed in the output and
              is typically used to explain the purpose of the check.

       disable = <text>
              This is an optional text field.  If it is set, the  check  will  not  run  and  the
              contents  of this text will be added to the report to explain why the check was not
              ran.

TYPE ENFORCEMENT ALLOW RULE ASSERTION

       This checks for the nonexistence of  type  enforcement  allow  rules.  The  check_type  is
       assert_te.   It will run the query and any unexpected results from the query, removing any
       exempted sources or targets, will be listed as failures.  Any expected  results  that  are
       not  seen will also be listed as failures.  If a rule has an empty attribute, rendering it
       useless, it will be ignored.  If a rule has an attribute, it will be considered a  failure
       unless all of the member types are exempted.

       Criteria options:

       source = <type or type attribute>
              The source type/attribute criteria for the query.

       target = <type or type attribute>
              The target type/attribute criteria for the query.

       tclass = <type or type attribute>[ ....]
              A space-separated list of object class criteria for the query.

       perms = <type or type attribute>[ ....]
              A space-separated list of permissions for the query.

       A least one of the above options must be set in this check.

       Additional Options:

       expect_source = <type or type attribute>[ ....]
              A  space-separated  list of types and type attributes.  Each of these types must be
              seen as the source of a rule that matches the criteria.  At the end of  the  query,
              each unseen type in this list will be reported as a failure. This is optional.

       expect_target = <type or type attribute>[ ....]
              A  space-separated  list of types and type attributes.  Each of these types must be
              seen as the target of a rule that matches the criteria.  At the end of  the  query,
              each unseen type in this list will be reported as a failure. This is optional.

       exempt_source = <type or type attribute>[ ....]
              A  space-separated  list  of  types  and  type attributes.  Rules with these as the
              source will be ignored. This is optional.

       exempt_target = <type or type attribute>[ ....]
              A space-separated list of types and type  attributes.   Rules  with  these  as  the
              target will be ignored. This is optional.

       Note:  If  a  rule  has  an  attribute  source,  all  of  the  member types must be in the
       expect_source list or exempt_source list to pass.  Similarly, if a rule has  an  attribute
       target, all of the member types must be in the expect_target list or exempt_target list to
       pass.

ROLE BASED ACCESS CONTROL ALLOW RULE ASSERTION

       This checks for the nonexistence of role based access  control  (RBAC)  allow  rules.  The
       check_type  is  assert_rbac.   It  will  run the query and any unexpected results from the
       query, removing any exempted sources or targets, will be listed as failures.  Any expected
       results that are not seen will also be listed as failures.

       Criteria options:

       source = <role
              The source role criteria for the query.

       target = <role>
              The target role criteria for the query.

       A least one of the above options must be set in this check.

       Additional Options:

       expect_source = <role>[ ....]
              A space-separated list of roles.  Each of these roles must be seen as the source of
              a rule that matches the criteria.  At the end of the query,  each  unseen  role  in
              this list will be reported as a failure. This is optional.

       expect_target = <role>[ ....]
              A space-separated list of roles.  Each of these roles must be seen as the target of
              a rule that matches the criteria.  At the end of the query,  each  unseen  role  in
              this list will be reported as a failure. This is optional.

       exempt_source = <role>[ ....]
              A  space-separated  list of roles.  Rules with these as the source will be ignored.
              This is optional.

       exempt_target = <role>[ ....]
              A space-separated list of roles.  Rules with these as the target will  be  ignored.
              This is optional.

EMPTY TYPE ATTRIBUTE ASSERTION

       This  checks  that  the  specified attribute is empty.  This can optionally be set to also
       pass if the attribute does not exist.  The check_type is empty_typeattr.

       Options:

       attr = <type attribute>
              The type attribute to check.  This is required.

       missing_ok = <type attribute>
              Consider the check passing if the attribute does  not  exist.   This  is  optional.
              Default is false.

READ-ONLY EXECUTABLES ASSERTION

       This  checks  that  all  file  types that are executable are read-only.  The check_type is
       ro_execs.

       Options:

       exempt_file = <type or type attribute>[ ....]
              A space-separated list of types and type attributes.  These will not be  considered
              executable.  This is optional.

       exempt_exec_domain = <type or type attribute>[ ....]
              A  space-separated  list  of  types  and  type attributes.  Rules with these as the
              source will be ignored if they allow file execute permission.  This is optional.

       exempt_write_domain = <type or type attribute>[ ....]
              A space-separated list of types and type  attributes.   Rules  with  these  as  the
              source  will  be  ignored  if  they allow file write or append permissions on types
              determined executable.  This is optional.

CONFIGURATION EXAMPLES

       Example 1. A   check   called    "no_unconfined"    that    will    determine    if    the
       domain_unconfined_type attribute is empty or missing.

           [no_unconfined]
           check_type = empty_typeattr
           desc = Verify that the domain_unconfined_type attribute is missing or empty.
           attr = domain_unconfined_type
           missing_ok = True

       Example 2. A check called "ro_execs" that will determine if all executable types are read-
       only.

           [ro_execs]
           check_type = empty_typeattr
           desc = Verify that the all executables and libraries are read-only.

       Example 3. A check called "execheap" that will determine that there are  no  domains  with
       the execheap permission except for unconfined_execheap_t.

           [execheap]
           check_type = assert_te
           desc = Verify no domains have executable heap.
           tclass = process
           perms = execheap
           exempt_source = unconfined_execheap_t

AUTHOR

       Chris PeBenito <chpebeni@linux.microsoft.com>

BUGS

       Please        report       bugs       via       the       SETools       bug       tracker,
       https://github.com/SELinuxProject/setools/issues

SEE ALSO

       apol(1), sediff(1), sedta(1), seinfo(1), seinfoflow(1), sesearch(1)