Provided by: setools_3.3.8+20151215-2_amd64 bug

NAME
       sesearch - SELinux policy query tool


SYNOPSIS
       sesearch [OPTIONS] RULE_TYPE [RULE_TYPE ...] [EXPRESSION] [POLICY ...]


DESCRIPTION
       sesearch allows the user to search the rules in a SELinux policy.


POLICY
       sesearch supports loading a SELinux policy in one of four formats.

       source A single text file containing policy source for versions 12 through 21. This file is usually named
              policy.conf.

       binary A  single  file containing a monolithic kernel binary policy for versions 15 through 21. This file
              is usually named by version - for example, policy.20.

       modular
              A list of policy packages each containing a loadable policy module. The first module  listed  must
              be a base module.

       policy list
              A  single  text  file  containing all the information needed to load a policy, usually exported by
              SETools graphical utilities.

       If no policy file is provided, sesearch will search for the system default policy: checking first  for  a
       source  policy, next for a binary policy matching the running kernel's preferred version, and finally for
       the highest version that can be found.  In the latter case, the policy will be downgraded  to  match  the
       running system.  If no policy can be found, sesearch will print an error message and exit.


RULE TYPE OPTIONS
       sesearch  is capable of searching multiple types of rules. At least one of the following must be provided
       to specify the desired type(s) of rules to search.

       -A, --allow
              Search for allow rules.

       --neverallow
              Search for neverallow rules.

       --auditallow
              Search for auditallow rules.

       --dontaudit
              Search for dontaudit rules.

       -T, --type
              Search for type_transition, type_member, and type_change rules.

       --role_allow
              Search for role allow rules.

       --role_trans
              Search for role_transition rules.

       --range_trans
              Search for range_transition rules.

       --all  Search all rule types.


EXPRESSIONS
       The user may specify an expression containing values for a given field(s) in a rule.  Only  those  fields
       applicable  to  a  given  rule  type  will  be  used;  all  other  fields will be ignored.  (For example,
       type_transition rules will ignore the permissions field.)  If no expression is specified or  if  none  of
       the  specified  fields  apply  to  a  given rule type, all rules of that type are considered to match the
       expression.

       -s NAME, --source=NAME
              Find rules with type/attribute NAME as their source.

       -t NAME, --target=NAME
              Find rules with type/attribute NAME as their target.

       -D NAME, --default=NAME
              Find rules with type NAME as their default.

       --role_source=NAME
              Find rules with role NAME as their source.

       --role_target=NAME
              Find rules with role NAME as their target.

       -c NAME, --class=NAME
              Find rules with class NAME as their object class.

       -p P1[,P2,...] --perm=P1[,P2...]
              Find rules with at least one of the specified permissions.  Multiple permissions may be  specified
              as  a  comma  separated list; it is recommended that this list be quoted for shells that interpret
              comma as a special character.

       -b NAME, --bool=NAME
              Find conditional rules with NAME in their conditional expression.  This option will include  rules
              in both the true and false lists of the conditional.


OPTIONS
       The  following  additional  options  exist  to  modify  how  the  search  is  performed and the amount of
       information printed for each result.

       -d, --direct
              Normally rules are matched using  the  type  given  or  any  of  that  type's  attributes  (or  an
              attribute's  types).  This "indirect" matching also considers types used in complemented sets, the
              special set "*", and the special target "self".  When the direct flag is given, matching  is  done
              literally.  The rule must explicitly contain the given type (or attribute) for it to be returned.

       -R, --regex
              Use  regular  expressions  to  match  symbol  names.  By default only exact string matches will be
              considered.

       -n, --linenum
              Print the line number for each rule.  This option is ignored if using the --semantic option or  if
              line numbers are not available for the given policy.

       -S, --semantic
              Search  rules semantically instead of syntactically. This option is implied for policies for which
              syntactic rules are not available.

       -C, --show_cond
              Print the conditional expression and state for all conditional rules found.  This  option  has  no
              effect on unconditional rules.

       -h, --help
              Print help information and exit.

       -V, --version
              Print version information and exit.


AUTHOR
       This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.


COPYRIGHT
       Copyright(C) 2003-2008 Tresys Technology, LLC


BUGS
       Please report bugs via an email to setools-bugs@tresys.com.


SEE ALSO
       seinfo(1), apol(1)

                                                                                                     sesearch(1)