sevisual_query

Section: SELinux Policy Analysis Tool (1)
Updated: 2017-02-09
Page Index
 

NAME

sevisual_query - SELinux policy visual query  

SYNOPSIS

sevisual_query [-h] [-s SOURCE | -t TARGET]
                    [-sg SOURCE_GROUP | -tg TARGET_GROUP] [-c TCLASS]
                    [-p PERMS] [-a ATTR] [-b BOOL] [-ea] [-dg]
                    [-fb [FILTER_BOOLS]] [-fa ATTR] [-sm SIZE_MULTIPLIER]
                    [policy]
 

DESCRIPTION

Creates visual representation (pdf containing vector graphics) of part of given SELinux policy (concerning selected type). Rules assigned via attributes are distinguished by color codes. Dashed lines represent conditional rules.  

OPTIONS

 

Positional arguments:

policy
Path to the SELinux policy to be used.

 

Optional arguments:

-h, --help
show this help message and exit
-sm SIZE_MULTIPLIER, --size_multiplier SIZE_MULTIPLIER
Graph canvas size multiplier (>1 increases space between nodes)

 

Rule search (similar to sesearch):

-s SOURCE, --source SOURCE
Source type of the TE rule.
-t TARGET, --target TARGET
Target type of the TE rule.
-sg SOURCE_GROUP, --source_group SOURCE_GROUP
Source type (consider whole domain group containing the type) of the TE rule.
-tg TARGET_GROUP, --target_group TARGET_GROUP
Target type (consider whole domain group containing the type) of the TE rule.
-c TCLASS, --class TCLASS
Comma separated list of object classes
-p PERMS, --perms PERMS
Comma separated list of permissions.
-a ATTR, --attr ATTR
Comma separated list of attributes.
-b BOOL, --bool BOOL
Comma separated list of Booleans in the conditional expression.
-ea
Expand rules ending in attribute (to all types that have given attribute).

 

Filtering:

-dg
Group SELinux domains based on package they belong to.
-fb [FILTER_BOOLS], --filter_bools [FILTER_BOOLS]
Filter rules based on current boolean setting or comma separated list of [boolean]:[on/off]
-fa ATTR, --filter_attrs ATTR
Filter out rules allowed for specified attributes. ATTR is comma separated list of attributes.

 

EXAMPLE

Show policy concerning bluetooth_t type (only access to files, other types are grouped into packages): 

      $ sevisual_query -s bluetooth_t -c file -dg
      $ okular graph.pdf
 

SEE ALSO

seextract_cil(1), seexport_graph(1)  

HINTS

Have a look at seexport_graph which can work with whole policy package and the resulting visualization is interactive.  

AUTHOR

Vit Mojzis <vmojzis@redhat.com>

 

Index

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
Positional arguments:
Optional arguments:
Rule search (similar to sesearch):
Filtering:
EXAMPLE
SEE ALSO
HINTS
AUTHOR