segraph_query - Man Page
SELinux policy analysis tool
Synopsis
segraph_query [-h] [-d POLICY_GRAPH2] POLICY_GRAPH QUERY_FUNCTIONS
Description
Analyses policy graph using given query functions.
Available query functions
- write_executable
Finds all types corresponding to executables, that can be written to. Lists dictionary with execuatable types as keys and types with write permission as values.
- transition_write
Finds domain transitions via entrypoints that can be rewritten by source domain. This effectively increases reach of source domain by access rights of target domain. Lists triplets of (source domain, target domain, entrypoint)
- write_to_security
Find domains that are allowed write access to "security related" types. Lists domains with the specified write access and lists of affected types (security types that can be written to)
Options
Positional arguments
- POLICY_GRAPH
Policy graph file
- QUERY_FUNCTIONS
Comma separated list of query functions to be executed
Optional arguments
- -h, ā--help
Show help message and exit
- -d POLICY_GRAPH2, --diff POLICY_GRAPH2
Another policy graph file for comparison
Example
Check a policy graph (created using sebuild_graph) with write_executable function:
$ graph_query.py graph write_executable
Show consequences of change in policy (graph2 was created after the change):
$ segraph_query graph2 write_executable,transition_write,write_to_security -d graph
See Also
Author
Vit Mojzis <vmojzis@redhat.com>
Referenced By
sebuild_graph(1), seextract_cil(1).