seinfo Command: Query SELinux Policy Under CentOS / RHEL / Linux

by on December 1, 2012 · 0 comments· LAST UPDATED December 1, 2012

in

How do I query and get information about a policy under SELinux? How do I analyze a binary or a source policy file under SELinux?

Tutorial details
DifficultyIntermediate (rss)
Root privilegesYes
Requirementsseinfo
Estimated completion timeN/A

You need to use seinfo command. This command allows the user to query the components of a SELinux policy. You can analyze a binary or a source policy using this tool.

Installation

Type the following command:
# yum install setools-console
Sample outputs:

 
Loaded plugins: auto-update-debuginfo, protectbase, rhnplugin
0 packages excluded due to repository protections
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package setools-console.x86_64 0:3.3.7-4.el6 will be installed
--> Finished Dependency Resolution
 
Dependencies Resolved
 
================================================================================
 Package             Arch       Version          Repository                Size
================================================================================
Installing:
 setools-console     x86_64     3.3.7-4.el6      rhel-x86_64-server-6     328 k
 
Transaction Summary
================================================================================
Install       1 Package(s)
 
Total download size: 328 k
Installed size: 0
Is this ok [y/N]: y
Downloading Packages:
setools-console-3.3.7-4.el6.x86_64.rpm                   | 328 kB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : setools-console-3.3.7-4.el6.x86_64                           1/1
  Verifying  : setools-console-3.3.7-4.el6.x86_64                           1/1
 
Installed:
  setools-console.x86_64 0:3.3.7-4.el6
 
Complete!
 

How do I use seinfo Command?

The syntax is:

 
seinfo /path/to/policy
seinfo [options] /path/to/policy
 

For example, get information about /etc/selinux/targeted/policy/policy.24 policy, enter:
# seinfo /etc/selinux/targeted/policy/policy.24
Sample outputs:

 
 
Statistics for policy file: /etc/selinux/targeted/policy/policy.24
Policy Version & Type: v.24 (binary, mls)
 
   Classes:            81    Permissions:       235
   Sensitivities:       1    Categories:       1024
   Types:            3508    Attributes:        277
   Users:               9    Roles:              12
   Booleans:          190    Cond. Expr.:       225
   Allow:          275791    Neverallow:          0
   Auditallow:         97    Dontaudit:      202153
   Type_trans:      24052    Type_change:        38
   Type_member:        48    Role allow:         20
   Role_trans:        292    Range_trans:      3995
   Constraints:        87    Validatetrans:       0
   Initial SIDs:       27    Fs_use:             22
   Genfscon:           81    Portcon:           426
   Netifcon:            0    Nodecon:             0
   Permissives:        59    Polcap:              2
 

To list the number of types with the domain attribute, enter:
# seinfo -adomain -x | less
To print a list of user, enter:
# seinfo -adomain -u
Sample outputs:

   domain
Users: 9
   sysadm_u
   system_u
   xguest_u
   root
   guest_u
   staff_u
   user_u
   unconfined_u
   git_shell_u

To print a list of roles, enter:
# seinfo -adomain -r
Sample outputs:

   domain
Roles: 12
   guest_r
   staff_r
   user_r
   git_shell_r
   logadm_r
   object_r
   sysadm_r
   system_r
   webadm_r
   xguest_r
   nx_server_r

To print a list of conditional booleans:
# seinfo -adomain -b
# seinfo -adomain -b | less
# seinfo -adomain -bssh_sysadm_login -x

For more information read seinfo man page:
# man seinfo

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 0 comments… add one now }

Leave a Comment

Tagged as: , , ,

Previous Faq:

Next Faq: