xenial (1) sechecker.1.gz

Provided by: setools_3.3.8+20151215-2_amd64 bug

NAME

       sechecker - SELinux policy checking tool

SYNOPSIS

       sechecker [OPTIONS] -p profile [POLICY ...]
       sechecker [OPTIONS] -m module [POLICY ...]
       sechecker [OPTIONS] -p profile -m module [POLICY ...]

DESCRIPTION

       sechecker  allows  the  user to perform predefined modular checks on a SELinux policy.  Profiles exist to
       group modules together and allow modification of module settings (see below).

POLICY

       sechecker supports loading a SELinux policy in one of four formats.

       source A single text file containing policy source for versions 12 through 21. This file is usually named
              policy.conf.

       binary A  single  file containing a monolithic kernel binary policy for versions 15 through 21. This file
              is usually named by version - for example, policy.20.

       modular
              A list of policy packages each containing a loadable policy module. The first module  listed  must
              be a base module.

       policy list
              A  single  text  file  containing all the information needed to load a policy, usually exported by
              SETools graphical utilities.

       If no policy file is provided, sechecker will search for the system default policy: checking first for  a
       source  policy, next for a binary policy matching the running kernel's preferred version, and finally for
       the highest version that can be found.  In the latter case, the policy will be downgraded  to  match  the
       running system.  If no policy can be found, sechecker will print an error message and exit.

OPTIONS

       -p PROFILE, --profile=PROFILE
              Load module settings from a module profile.  The settings in the profile will override the default
              settings for all specified modules.  If specified without -m, run  all  modules  in  the  profile.
              PROFILE  may  either  be  the  name  of a known profile (see --list) or the path to a user created
              profile.  see PROFILE OPTIONS below for more information about creating profiles.

       -m MODULE, --module=MODULE
              Run only the module named MODULE (see --list).

       --min-sev=SEVERITY
              Report only results with the minimum  severity  of  SEVERITY.   SEVERITY  must  have  one  of  the
              following values:

              low    The module's results indicate a flaw in the policy that does not affect the manner in which
                     the policy is enforced, but is considered to be improper.

              med    The module's results indicate a flaw in the policy that changes the  manner  in  which  the
                     policy is enforced; however, it does not present an identifiable security risk.

              high   The  module's  results indicate a flaw in the policy that presents an identifiable security
                     risk.

       --fcfile=FILE
              Use FILE for the file_contexts file instead of the system default.  This flag is  only  applicable
              if sechecker was configured with the --enable-sefs flag.

       -l, --list
              Print a list of the name and a brief description of all known profiles and modules and exit.

       -h[MODULE], --help[=MODULE]
              Print  general  help  information and exit.  If MODULE is provided, print help information for the
              module named MODULE and exit.

       -V, --version
              Print version information and exit.

   REPORT GENERATION OPTIONS
       Only one of the following may be provided to specify the length  of  the  report  for  all  modules.   If
       provided, this option overrides both profile and module default output settings.

       -q, --quiet
              suppress output

       -s, --short
              print short output

       -v, --verbose
              print verbose output

PROFILE OPTIONS

       Profiles  are used to group modules together, to specify the output format for each module in the report,
       and to provide the ability to override the modules' default options.  Each profile is a  well-formed  XML
       document, as specified by the DTD installed with sechecker.  An example profile follows:

       <sechecker version="1.1">
            <profile>
                 <module name="find_domains">
                      <output value="quiet"/>
                      <option name="domain_attribute">
                           <item value="domain"/>
                           <item value="user_domain"/>
                           ...
                      </option>
                 </module>
                 ...
            </profile>
       </sechecker>

       The  example profile specifies the output property for the find_domains module.  The example profile also
       overrides the default value for the "domain_attribute" option in the find_domains module.

   PROFILE OUTPUT OPTIONS
       The valid output values for each module are specified below:

       verbose
              Print each result in the report with accompanying proof(s).

       short  Print a list of results with no accompanying proof.

       none   Do not print output from this module in the report; however, module errors will still be printed.

       quiet  Do not print output from this module in the report and do not print errors.  This  is  useful  for
              utility modules for which the calling module handles any errors.

   PROFILE MODULE OPTIONS
       Several  modules provide one or more options that can be set from a profile.  Each option has one or more
       items.  To check what options are available for a module use --help=MODULE, where MODULE is the  name  of
       the module as printed by --list.

AUTHOR

       This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.

       Copyright(C) 2005-2008 Tresys Technology, LLC

BUGS

       Please report bugs via an email to setools-bugs@tresys.com.

SEE ALSO

       apol(1)

                                                                                                    sechecker(1)