Provided by: setools_3.3.8+20151215-2_amd64 bug

NAME

       sesearch - SELinux policy query tool

SYNOPSIS

       sesearch [OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPRESSION] [POLICY ...]

DESCRIPTION

       sesearch allows the user to search the rules in a SELinux policy.

POLICY

       sesearch supports loading a SELinux policy in one of four formats.

       source A  single  text file containing policy source for versions 12 through 21. This file
              is usually named policy.conf.

       binary A single file containing a monolithic kernel binary policy for versions 15  through
              21. This file is usually named by version - for example, policy.20.

       modular
              A  list  of  policy  packages  each  containing a loadable policy module. The first
              module listed must be a base module.

       policy list
              A single text file containing all the information needed to load a policy,  usually
              exported by SETools graphical utilities.

       If  no  policy  file  is  provided,  sesearch  will  search for the system default policy:
       checking first for a source policy, next for a binary policy matching the running kernel's
       preferred  version,  and finally for the highest version that can be found.  In the latter
       case, the policy will be downgraded to match the running system.   If  no  policy  can  be
       found, sesearch will print an error message and exit.

RULE TYPE OPTIONS

       sesearch  is  capable  of searching multiple types of rules. At least one of the following
       must be provided to specify the desired type(s) of rules to search.

       -A, --allow
              Search for allow rules.

       --neverallow
              Search for neverallow rules.

       --auditallow
              Search for auditallow rules.

       --dontaudit
              Search for dontaudit rules.

       -T, --type
              Search for type_transition, type_member, and type_change rules.

       --role_allow
              Search for role allow rules.

       --role_trans
              Search for role_transition rules.

       --range_trans
              Search for range_transition rules.

       --all  Search all rule types.

EXPRESSIONS

       The user may specify an expression containing values for a given field(s) in a rule.  Only
       those  fields  applicable  to  a  given  rule  type will be used; all other fields will be
       ignored.  (For example, type_transition rules will ignore the permissions field.)   If  no
       expression is specified or if none of the specified fields apply to a given rule type, all
       rules of that type are considered to match the expression.

       -s NAME, --source=NAME
              Find rules with type/attribute NAME as their source.

       -t NAME, --target=NAME
              Find rules with type/attribute NAME as their target.

       -D NAME, --default=NAME
              Find rules with type NAME as their default.

       --role_source=NAME
              Find rules with role NAME as their source.

       --role_target=NAME
              Find rules with role NAME as their target.

       -c NAME, --class=NAME
              Find rules with class NAME as their object class.

       -p P1[,P2,...] --perm=P1[,P2...]
              Find rules with at least one of the specified  permissions.   Multiple  permissions
              may  be  specified  as  a comma separated list; it is recommended that this list be
              quoted for shells that interpret comma as a special character.

       -b NAME, --bool=NAME
              Find conditional rules with NAME in their conditional expression.  This option will
              include rules in both the true and false lists of the conditional.

OPTIONS

       The  following  additional  options  exist  to  modify how the search is performed and the
       amount of information printed for each result.

       -d, --direct
              Normally rules are matched using the type given or any of  that  type's  attributes
              (or  an  attribute's types).  This "indirect" matching also considers types used in
              complemented sets, the special set "*", and the special target  "self".   When  the
              direct flag is given, matching is done literally.  The rule must explicitly contain
              the given type (or attribute) for it to be returned.

       -R, --regex
              Use regular expressions to match  symbol  names.   By  default  only  exact  string
              matches will be considered.

       -n, --linenum
              Print  the  line  number  for  each  rule.   This  option  is  ignored if using the
              --semantic option or if line numbers are not available for the given policy.

       -S, --semantic
              Search rules semantically instead of syntactically.  This  option  is  implied  for
              policies for which syntactic rules are not available.

       -C, --show_cond
              Print  the  conditional expression and state for all conditional rules found.  This
              option has no effect on unconditional rules.

       -h, --help
              Print help information and exit.

       -V, --version
              Print version information and exit.

AUTHOR

       This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.

COPYRIGHT

       Copyright(C) 2003-2008 Tresys Technology, LLC

BUGS

       Please report bugs via an email to setools-bugs@tresys.com.

SEE ALSO

       seinfo(1), apol(1)

                                                                                      sesearch(1)