Provided by: setools_4.5.1-1.1build1_amd64 bug

NAME
       sesearch - SELinux policy query tool


SYNOPSIS
       sesearch [OPTIONS] [OPTIONS] [EXPRESSION] [POLICY]


DESCRIPTION
       sesearch allows the user to search the rules in a SELinux policy.


POLICY
       A  single  file  containing  a binary policy. This file is usually named by version on Linux systems, for
       example, policy.30. This file is usually named sepolicy  on  Android  systems.   If  no  policy  file  is
       provided,  sesearch  will search for the policy running on the current system. If no policy can be found,
       sesearch will print an error message and exit.


EXPRESSIONS
       The user may specify an expression containing values for a given field(s) in a rule.  If no expression is
       specified or if none of the specified fields apply to a given rule type,  all  rules  of  that  type  are
       considered to match the expression.

   Type Enforcement Rule Types
       -A     Find allow and allowxperm rules.

       --allow
              Find allow rules.

       --auditallow
              Find auditallow rules.

       --dontaudit
              Find dontaudit rules.

       --allowxperm
              Find allowxperm rules.

       --auditallowxperm
              Find auditallowxperm rules.

       --dontauditxperm
              Find dontauditxperm rules.

       -T, --type_transition
              Find type_transition rules.

       --type_member
              Find type_member rules.

       --type_change
              Find type_change rules.

   RBAC Rule Types
       --role_allow
              Find role allow rules.

       --role_transition
              Find role_transition rules.

       Note: TE/MLS rule searches cannot be mixed with RBAC rule searches

   MLS Rule Types
       --range_transition
              Find range_transition rules.

   Rule Fields
       -s NAME, --source NAME
              Find rules with NAME as their source type/role.

       -t NAME, --target NAME
              Find rules with NAME as their target type/role.

       -D NAME, --default NAME
              Find rules with NAME as their default type/role/level.

       -c NAME, --class NAME
              Find rules with NAME as their object class.

       -p P1[,P2,...] --perm P1[,P2...]
              Find  rules with at least one of the specified permissions.  Multiple permissions may be specified
              as a comma-separated list.

       -b BOOL[,B2,...], --bool BOOL[,B2,...]
              Find conditional rules with the named Boolean in their conditional expression.  Multiple  Booleans
              may  be  specified as a comma-separated list.  This option will include rules in both the true and
              false lists of the conditional.

   Search Options
       The following additional options modify how the search is performed.

       -ds    A matching rule must have the specified source attribute/type/role explicitly, instead of matching
              by attribute contents.

       -dt    A matching rule must have the specified target attribute/type/role explicitly, instead of matching
              by attribute contents.

       -eb    A matching rule must have all specified  Booleans,  instead  of  matching  any  of  the  specified
              Boolean.

       -ep    A  matching  rule  must  have  exactly  the  specified permissions, instead of matching any of the
              specified permission.

       -ex    A matching rule must have exactly the specified extended  permissions,  instead  of  matching  any
              listed extended permission.

       -Sp    A  matching  rule must have permissions where are a superset of the specified permissions, instead
              of matching any of the permissions.

       -rs    Use regular expression for matching the source type/role.

       -rt    Use regular expression for matching the target type/role.

       -rc    Use regular expression for matching the object class.

       -rd    Use regular expression for matching the default type/role.

       -rb    Use regular expression for matching Booleans.


OPTIONS
       -h, --help
              Print help information and exit.

       --version
              Print version information and exit.

       -v, --verbose
              Print additional informational messages.

       --debug
              Enable debugging output.


EXAMPLE
       List allow (and allowxperm) rules for accessing files labeled container_file_t from domains with attribute container_domain
       # sesearch -A -s container_domain -t container_file_t -c file
       List allow and dontaudit rules for accessing chr_files labeled container_file_t, that are controlled by boolean container_use_devices
       # sesearch -A --dontaudit -t container_file_t -c chr_file -b container_use_devices
       List dontaudit rules assigned via application_domain_type attribute (rules concerning specific types with that attribute are excluded)
       # sesearch --dontaudit -s application_domain_type -ds


AUTHOR
       Chris PeBenito <pebenito@ieee.org>


BUGS
       Please report bugs via the SETools bug tracker, https://github.com/SELinuxProject/setools/issues


SEE ALSO
       apol(1), sediff(1), sedta(1), seinfo(1), seinfoflow(1)

SELinux Project                                    2016-02-20                                        sesearch(1)