seexport_graph

Section: SELinux Policy Analysis Tool (1)
Updated: 2017-02-09
Page Index

NAME

seexport_graph - SELinux policy graph export tool

SYNOPSIS

seexport_graph [-h] [-c TCLASS] [-p PERMS] [-a ATTR] [-b BOOL] [-ea]
               [-fb [FILTER_BOOLS]] [-fa ATTR]
               package [policy]

DESCRIPTION

Exports part of given SELinux policy (concerning selected package) to a graphml file. This file can than be visualized (e.g. using Gephi - gephi.org)

OPTIONS

Positional arguments

package: Policy concerning this package will be exported
policy: Path to the SELinux policy to be used.

Optional arguments

-h, --help: show this help message and exit

Rule search (similar to sesearch)

-c TCLASS, --class TCLASS: Comma separated list of object classes
-p PERMS, --perms PERMS: Comma separated list of permissions.
-a ATTR, --attr ATTR: Comma separated list of attributes.
-b BOOL, --bool BOOL: Comma separated list of Booleans in the conditional expression.
-ea: Expand rules ending in attribute (to all types that have given attribute)

Filtering

-fb [FILTER_BOOLS], --filter_bools [FILTER_BOOLS]: Filter rules based on current boolean setting or comma separated list of [boolean]:[on/off]
-fa ATTR, --filter_attrs ATTR: Filter out rules allowed for specified attributes. ATTR is comma separated list of attributes.

EXAMPLE

Export policy concerning bluetooth daemon (only access to files, boolean settings is taken into account):

      $ seexport_graph bluetooth -fb -c file,process

BUGS

domain_groups_cil.conf has to be kept up to date using seextract_cil command. Only packages present there can be exported.

AUTHOR

Vit Mojzis <vmojzis@redhat.com>