seinfoflow - Man Page

Information flow analysis for SELinux policies

Synopsis

seinfoflow [Options] -m MAP -s SOURCE [-t TARGET (-S|-A LIMIT)] [EXCLUDE [EXCLUDE ...]]

Description

seinfoflow is a command line tool that allows the user to perform information flow analyses on an SELinux policy.

Policy

A single file containing a binary policy. This file is usually named by version on Linux systems, for example, policy.30. This file is usually named sepolicy on Android systems. If no policy file is provided, seinfoflow will search for the policy running on the current system. If no policy can be found, seinfoflow will print an error message and exit.

Options

Analysis Settings

-p POLICY

Specify the policy to analyze. If none is specified, seinfoflow will search for the policy running on the current system.

-m MAP

Specify the path to the permission map file to use in the information flow analysis.

-s SOURCE

Specify the source type to use in the information flow analysis.

-t TARGET

Specify the target type to use in the information flow analysis. Using this option will also require specifying an analysis algorithm.

Analysis Algorithms

seinfoflow uses graph algorithms to analyze the information flow paths of an SELinux policy. The following algorithms are options for determining paths from a source type to a target type.

-S

Print the shortest information flow path(s) from the source type to the target type.  If multiple paths have the same length, all will be displayed.

-A LIMIT

Print all information flow path(s) up to LIMIT steps long.  Depending on the connectiveness of the policy, a limit of 5 or more may be extremely expensive.

Analysis Options

-w MIN_WEIGHT

Specify the minimum permission weight to consider for the analysis (1-10). The default is 3.

-l LIMIT_FLOWS

Specify the maximum number of information flows to output. The default is unlimited.

-o OUTPUT_PATH

Generate a graphical representation of the analysis in PNG format at the specified path.

EXCLUDE

A space-separated list of types to exclude from the analysis.

General Options

-r,  --reverse

Display information flows into the source type. No effect if a target type is specified.

--stats

Print information flow graph statistics at the end of the analysis.

-h,  --help

Print help information and exit.

--full

Print full rule lists for information flows.

--version

Print version information and exit.

-v,  --verbose

Print additional informational messages.

--debug

Enable debugging output.

Example

Show the shortest paths for process running as httpd_t to access user home files, using the default permission map:
# seinfoflow -s httpd_t -t user_home_t -S
List all data paths shorter than 3 steps from smbd_t to httpd_log_t, when samba_enable_home_dirs and samba_create_home_dirs booleans are enabled
# seinfoflow -s smbd_t -t user_home_t -A 3 -b "samba_enable_home_dirs:true,samba_create_home_dirs:true"

Author

Chris PeBenito <pebenito@ieee.org>

Bugs

Please report bugs via the SETools bug tracker, https://github.com/SELinuxProject/setools/issues

See Also

apol(1), sediff(1), sedta(1), seinfo(1), sesearch(1)

Referenced By

apol(1), sechecker(1), sediff(1), sedta(1), seinfo(1), sesearch(1).

2016-02-20 SELinux Project SETools: SELinux Policy Analysis Tools