segraph_query

Section: SELinux Policy Analysis Tool (1)
Updated: 2017-02-09
Page Index
 

NAME

segraph_query - SELinux policy analysis tool  

SYNOPSIS

segraph_query [-h] [-d POLICY_GRAPH2] POLICY_GRAPH QUERY_FUNCTIONS
 

DESCRIPTION

Analyses policy graph using given query functions.
 

Available query functions:

write_executable
Finds all types corresponding to executables, that can be written to. Lists dictionary with execuatable types as keys and types with write permission as values.
transition_write
Finds domain transitions via entrypoints that can be rewritten by source domain. This effectively increases reach of source domain by access rights of target domain. Lists triplets of (source domain, target domain, entrypoint)
write_to_security
Find domains that are allowed write access to "security related" types. Lists domains with the specified write access and lists of affected types (security types that can be written to)

 

OPTIONS

 

Positional arguments:

POLICY_GRAPH
Policy graph file
QUERY_FUNCTIONS
Comma separated list of query functions to be executed

 

Optional arguments:

-h, --help
Show help message and exit
-d POLICY_GRAPH2, --diff POLICY_GRAPH2
Another policy graph file for comparison
 

EXAMPLE

Check a policy graph (created using sebuild_graph) with write_executable function: 

      $ graph_query.py graph write_executable
Show consequences of change in policy (graph2 was created after the change): 

      $ segraph_query graph2 write_executable,transition_write,write_to_security -d graph
 

SEE ALSO

sebuild_graph(1)  

AUTHOR

Vit Mojzis <vmojzis@redhat.com>

 

Index

NAME
SYNOPSIS
DESCRIPTION
Available query functions:
OPTIONS
Positional arguments:
Optional arguments:
EXAMPLE
SEE ALSO
AUTHOR