Provided by: setools_4.4.3-1_amd64 bug

NAME

       sesearch - SELinux policy query tool

SYNOPSIS

       sesearch [OPTIONS] [OPTIONS] [EXPRESSION] [POLICY]

DESCRIPTION

       sesearch allows the user to search the rules in a SELinux policy.

POLICY

       A  single  file containing a binary policy. This file is usually named by version on Linux
       systems, for example, policy.30. This file is usually named sepolicy on  Android  systems.
       If  no policy file is provided, sesearch will search for the policy running on the current
       system. If no policy can be found, sesearch will print an error message and exit.

EXPRESSIONS

       The user may specify an expression containing values for a given field(s) in a  rule.   If
       no  expression is specified or if none of the specified fields apply to a given rule type,
       all rules of that type are considered to match the expression.

   Type Enforcement Rule Types
       -A     Find allow and allowxperm rules.

       --allow
              Find allow rules.

       --auditallow
              Find auditallow rules.

       --dontaudit
              Find dontaudit rules.

       --allowxperm
              Find allowxperm rules.

       --auditallowxperm
              Find auditallowxperm rules.

       --dontauditxperm
              Find dontauditxperm rules.

       -T, --type_trans
              Find type_transition rules.

       --type_member
              Find type_member rules.

       --type_change
              Find type_change rules.

   RBAC Rule Types
       --role_allow
              Find role allow rules.

       --role_trans
              Find role_transition rules.

       Note: TE/MLS rule searches cannot be mixed with RBAC rule searches

   MLS Rule Types
       --range_trans
              Find range_transition rules.

   Rule Fields
       -s NAME, --source NAME
              Find rules with NAME as their source type/role.

       -t NAME, --target NAME
              Find rules with NAME as their target type/role.

       -D NAME, --default NAME
              Find rules with NAME as their default type/role/level.

       -c NAME, --class NAME
              Find rules with NAME as their object class.

       -p P1[,P2,...] --perm P1[,P2...]
              Find rules with at least one of the specified  permissions.   Multiple  permissions
              may be specified as a comma-separated list.

       -b BOOL[,B2,...], --bool BOOL[,B2,...]
              Find  conditional  rules  with  the  named Boolean in their conditional expression.
              Multiple Booleans may be specified as a comma-separated  list.   This  option  will
              include rules in both the true and false lists of the conditional.

   Search Options
       The following additional options modify how the search is performed.

       -ds    A  matching  rule  must  have  the specified source attribute/type/role explicitly,
              instead of matching by attribute contents.

       -dt    A matching rule must have  the  specified  target  attribute/type/role  explicitly,
              instead of matching by attribute contents.

       -eb    A  matching  rule  must have all specified Booleans, instead of matching any of the
              specified Boolean.

       -ep    A matching rule must have exactly the specified permissions,  instead  of  matching
              any of the specified permission.

       -ex    A  matching  rule  must have exactly the specified extended permissions, instead of
              matching any listed extended permission.

       -Sp    A matching rule must have  permissions  where  are  a  superset  of  the  specified
              permissions, instead of matching any of the permissions.

       -rs    Use regular expression for matching the source type/role.

       -rt    Use regular expression for matching the target type/role.

       -rc    Use regular expression for matching the object class.

       -rd    Use regular expression for matching the default type/role.

       -rb    Use regular expression for matching Booleans.

OPTIONS

       -h, --help
              Print help information and exit.

       --version
              Print version information and exit.

       -v, --verbose
              Print additional informational messages.

       --debug
              Enable debugging output.

EXAMPLE

       List allow (and allowxperm) rules for accessing files labeled container_file_t from domains with attribute container_domain
       # sesearch -A -s container_domain -t container_file_t -c file
       List allow and dontaudit rules for accessing chr_files labeled container_file_t, that are controlled by boolean container_use_devices
       # sesearch -A --dontaudit -t container_file_t -c chr_file -b container_use_devices
       List dontaudit rules assigned via application_domain_type attribute (rules concerning specific types with that attribute are excluded)
       # sesearch --dontaudit -s application_domain_type -ds

AUTHOR

       Chris PeBenito <pebenito@ieee.org>

BUGS

       Please        report       bugs       via       the       SETools       bug       tracker,
       https://github.com/SELinuxProject/setools/issues

SEE ALSO

       apol(1), sediff(1), sedta(1), seinfo(1), seinfoflow(1)