Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE Manual page 89

Chapter 6. Tools for Manipulating and Analyzing SELinux
Classes:
Types:
Users:
Booleans:
Allow:
Auditallow:
Type_trans:
Role allow:
Initial SIDs:
sesearch
Similar to the way that
the command line,
binary can be used.
sesearch -a -t httpd_sys_content_t $SELINUX_POLICY/policy.conf
5 Rules match your search criteria
allow httpd_suexec_t { httpd_sys_content_t \
httpd_sys_script_ro_t httpd_sys_script_rw_t \
httpd_sys_script_exec_t } : dir
allow httpd_sys_script_t
{ getattr search };
allow httpd_t
lock search ioctl };
allow httpd_t
lock ioctl };
allow httpd_t
read };
# This same search, when performed on the binary policy file,
# generates 38 matching rules.
There are command line options to
Option
,
-s --source
,
-t --target
,
-c --class
,
-p --perms
--allow
--neverallow
--audit
--type
,
-i --indirect
,
-n --noregex
53 Permissions:
316 Attributes:
3 Roles:
20 Cond. Expr.:
11134 Neverallow:
2 Dontaudit:
157 Type_change:
5 Role trans:
0
provides light information gathering functionality from apol on
seinfo
lets you search for a particular type in the policy. Policy source or
sesearch
httpd_sys_content_t : dir
httpd_sys_content_t : dir
httpd_sys_content_t : file
httpd_sys_content_t : lnk_file
sesearch
Behavior
Search for rules that have the search expression as a
NAME
source;
Search for rules that have
NAME
Search for rules that have
NAME
Search for one or more specific permissions.
P1[,P2...]
Search for only
Search for only
Search for only
Search for only type transition (
change (
Do an indirect search, which looks for rules deriving
from a type's attribute.
Do not use regular expression matching for types and
attributes searched for.
192
0
4
21
0
569
0
0
{ getattr search };
{ read getattr \
{ read getattr \
{ getattr \
to control various factors of the search:
is a regular expression.
NAME
NAME
NAME
rules.
allow
neverallow
dontaudit
) rules.
type_change
\
as a target.
as the object class.
rules.
and rules.
auditallow
) and type
type_trans
75