Provided by: setools_3.3.8-3ubuntu1_amd64 bug

NAME

       sechecker - SELinux policy checking tool

SYNOPSIS

       sechecker [OPTIONS] -p profile [POLICY ...]
       sechecker [OPTIONS] -m module [POLICY ...]
       sechecker [OPTIONS] -p profile -m module [POLICY ...]

DESCRIPTION

       sechecker  allows  the  user  to  perform  predefined  modular checks on a SELinux policy.
       Profiles exist to group modules together and allow modification of  module  settings  (see
       below).

POLICY

       sechecker supports loading a SELinux policy in one of four formats.

       source A  single  text file containing policy source for versions 12 through 21. This file
              is usually named policy.conf.

       binary A single file containing a monolithic kernel binary policy for versions 15  through
              21. This file is usually named by version - for example, policy.20.

       modular
              A  list  of  policy  packages  each  containing a loadable policy module. The first
              module listed must be a base module.

       policy list
              A single text file containing all the information needed to load a policy,  usually
              exported by SETools graphical utilities.

       If  no  policy  file  is  provided,  sechecker  will search for the system default policy:
       checking first for a source policy, next for a binary policy matching the running kernel's
       preferred  version,  and finally for the highest version that can be found.  In the latter
       case, the policy will be downgraded to match the running system.   If  no  policy  can  be
       found, sechecker will print an error message and exit.

OPTIONS

       -p PROFILE, --profile=PROFILE
              Load  module  settings  from  a  module  profile.  The settings in the profile will
              override the default settings for all specified modules.  If specified without  -m,
              run  all modules in the profile.  PROFILE may either be the name of a known profile
              (see --list) or the path to a user created profile.  see PROFILE OPTIONS below  for
              more information about creating profiles.

       -m MODULE, --module=MODULE
              Run only the module named MODULE (see --list).

       --min-sev=SEVERITY
              Report  only results with the minimum severity of SEVERITY.  SEVERITY must have one
              of the following values:

              low    The module's results indicate a flaw in the policy that does not affect  the
                     manner in which the policy is enforced, but is considered to be improper.

              med    The  module's  results indicate a flaw in the policy that changes the manner
                     in  which  the  policy  is  enforced;  however,  it  does  not  present   an
                     identifiable security risk.

              high   The  module's  results  indicate  a  flaw  in  the  policy  that presents an
                     identifiable security risk.

       --fcfile=FILE
              Use FILE for the file_contexts file instead of the system default.   This  flag  is
              only applicable if sechecker was configured with the --enable-sefs flag.

       -l, --list
              Print  a list of the name and a brief description of all known profiles and modules
              and exit.

       -h[MODULE], --help[=MODULE]
              Print general help information  and  exit.   If  MODULE  is  provided,  print  help
              information for the module named MODULE and exit.

       -V, --version
              Print version information and exit.

   REPORT GENERATION OPTIONS
       Only  one  of  the  following  may be provided to specify the length of the report for all
       modules.  If provided, this option  overrides  both  profile  and  module  default  output
       settings.

       -q, --quiet
              suppress output

       -s, --short
              print short output

       -v, --verbose
              print verbose output

PROFILE OPTIONS

       Profiles  are used to group modules together, to specify the output format for each module
       in the report, and to provide the ability to override the modules' default options.   Each
       profile  is  a well-formed XML document, as specified by the DTD installed with sechecker.
       An example profile follows:

       <sechecker version="1.1">
            <profile>
                 <module name="find_domains">
                      <output value="quiet"/>
                      <option name="domain_attribute">
                           <item value="domain"/>
                           <item value="user_domain"/>
                           ...
                      </option>
                 </module>
                 ...
            </profile>
       </sechecker>

       The example profile specifies the  output  property  for  the  find_domains  module.   The
       example  profile also overrides the default value for the "domain_attribute" option in the
       find_domains module.

   PROFILE OUTPUT OPTIONS
       The valid output values for each module are specified below:

       verbose
              Print each result in the report with accompanying proof(s).

       short  Print a list of results with no accompanying proof.

       none   Do not print output from this module in the report;  however,  module  errors  will
              still be printed.

       quiet  Do not print output from this module in the report and do not print errors. This is
              useful for utility modules for which the calling module handles any errors.

   PROFILE MODULE OPTIONS
       Several modules provide one or more options that can be set from a profile.   Each  option
       has  one  or  more  items.   To  check  what  options  are  available  for  a  module  use
       --help=MODULE, where MODULE is the name of the module as printed by --list.

AUTHOR

       This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.

COPYRIGHT

       Copyright(C) 2005-2008 Tresys Technology, LLC

BUGS

       Please report bugs via an email to setools-bugs@tresys.com.

SEE ALSO

       apol(1)

                                                                                     sechecker(1)