sesearch

Search for all allow rules

$ sesearch --allow

$ sesearch --allow [[-t|--target]] [type_name]

$ sesearch --allow [[-s|--source]] [source_type]

$ sesearch --allow [[-c|--class]] [class_name] [[-p|--perm]] [permission]

$ sesearch --allow [[-t|--target]] [type_name] [[-c|--class]] [class_name]

$ sesearch --allow [[-t|--target]] [type_name] [[-v|--verbose]]

sesearch [OPTIONS] [EXPRESSION]

--allow, -A
    Search for allow rules in the policy.

--auditallow, -a
    Search for auditallow rules in the policy.

--dontaudit, -D
    Search for dontaudit rules in the policy.

--source , -s
    Specify the source type for the search criteria.

--target , -t
    Specify the target type for the search criteria.

--class , -C
    Specify the object class (e.g., file, process, socket) for the search criteria.

--perm , -P
    Specify the permission to search for (e.g., read, write, execute).

--type , -c
    Search for statements involving a specific type or define a specific type.

--role , -R
    Search for statements involving a specific role.

--verbose, -v
    Display verbose output, often showing additional details for rules.

--linenum, -N
    Show line numbers from the policy source file for found rules.

--policy , -p
    Use a specified policy file instead of the currently loaded or default policy.

--expression , -e
    Use a complex expression for searching (e.g., 'type foo and class file and perm read').

--help, -h
    Display a help message and exit.

The sesearch command is a crucial utility for administrators working with SELinux (Security-Enhanced Linux). It allows users to query and analyze the loaded SELinux policy to find specific rules, types, or other policy components. This is invaluable for debugging SELinux access denials, understanding existing security contexts, or verifying policy configurations. Users can search for various types of rules, such as allow, auditallow, or dontaudit, and specify criteria like source types, target types, object classes, and permissions. Its flexible search capabilities make it an essential tool for effective SELinux policy management and troubleshooting.

Using sesearch effectively requires a basic understanding of SELinux policy syntax and concepts (types, classes, permissions).
The output can be very extensive for broad search queries, requiring careful filtering.
It queries the currently loaded or specified policy, which may differ from policy source files if they haven't been compiled and loaded.

sesearch is frequently used in conjunction with SELinux audit logs (e.g., from /var/log/audit/audit.log) to understand why an AVC (Access Vector Cache) denial occurred. By extracting the source type, target type, class, and permissions from an audit message, administrators can use sesearch to find the relevant policy rules or identify missing ones.

Beyond debugging, sesearch is a valuable tool for exploring and understanding the structure of a SELinux policy. It can help identify all rules related to a specific type, role, or resource, providing insights into how different components of the system are secured.

sesearch is part of the policycoreutils package, which houses many essential SELinux utilities. Its origins trace back to the SETools project, developed by Tresys Technology, and later maintained by the SELinux community. It has evolved significantly to provide powerful and flexible querying capabilities for debugging and understanding complex SELinux policies, becoming a standard tool for SELinux administrators and developers over the years.

semanage(8), setools(1), audit2allow(1), sealert(8), selinux(8), checkmodule(8)