sesearch Command in Linux
The sesearch command is a powerful utility in the SELinux (Security-Enhanced Linux) toolset. It is used to query SELinux policy rules and extract detailed information about access permissions, type transitions, role and user mappings, and more.
Table of Contents
Here is a comprehensive guide to the options available with the sesearch command −
- Understanding sesearch Command
- How to Use sesearch Command in Linux?
- Examples of sesearch Command in Linux
- Troubleshooting of sesearch Command in Linux
- Types of Rules of sesearch Command in Linux
Understanding sesearch Command
This command is particularly valuable for administrators and security professionals who need to audit, troubleshoot, and understand SELinux policies in detail. The command can be executed with various options to perform different types of policy queries and extract specific information.
The basic syntax for the sesearch command is as follows −
sesearch [options]
How to Use sesearch Command in Linux?
For advanced users, the sesearch command can be used in conjunction with other tools and scripts to automate policy auditing and analysis tasks.
-s or --source
This option specifies the source context, typically a type, for the query. It filters the search results to include only rules where the specified source context is involved.
Example −
sesearch -s httpd_t
In this example, the command queries SELinux policies for rules involving the httpd_t type as the source context.
-t or --target
This option specifies the target context, typically a type, for the query. It filters the search results to include only rules where the specified target context is involved.
Example −
sesearch -t httpd_sys_content_t
In this example, the command queries SELinux policies for rules involving the httpd_sys_content_t type as the target context.
-c or --class
This option specifies the object class for the query. It filters the search results to include only rules where the specified object class is involved.
Example −
sesearch -c file
In this example, the command queries SELinux policies for rules involving the file object class.
-p or --perm
This option specifies the permission for the query. It filters the search results to include only rules where the specified permission is involved.
Example −
sesearch -p read
In this example, the command queries SELinux policies for rules involving the read permission.
--allow
This option filters the search results to include only allow rules, which grant access.
Example −
sesearch --allow -s httpd_t -t httpd_sys_content_t -c file
In this example, the command queries SELinux policies for allow rules involving the httpd_t source type, the httpd_sys_content_t target type, and the file object class.
--auditallow
This option filters the search results to include only auditallow rules, which grant access and log the access event.
Example −
sesearch --auditallow -s httpd_t
In this example, the command queries SELinux policies for auditallow rules involving the httpd_t source type.
--dontaudit
This option filters the search results to include only dontaudit rules, which suppress audit logging for the specified access.
Example −
sesearch --dontaudit -s httpd_t
In this example, the command queries SELinux policies for dontaudit rules involving the httpd_t source type.
--role_allow
This option filters the search results to include only role allow rules, which define role transitions.
Example −
sesearch --role_allow
In this example, the command queries SELinux policies for role allow rules.
Examples of sesearch Command in Linux
Let's explore some practical examples to demonstrate the use of the sesearch command in different scenarios.
Querying Allow Rules for a Specific Source and Target Type
To query allow rules for a specific source and target type, use the --allow, -s, and -t options.
Example −
sesearch --allow -s httpd_t -t httpd_sys_content_t
In this example, the command queries SELinux policies for allow rules involving the httpd_t source type and the httpd_sys_content_t target type.
Querying Allow Rules for a Specific Source Type and Object Class
To query allow rules for a specific source type and object class, use the --allow, -s, and -c options.
Example −
sesearch --allow -s httpd_t -c file
In this example, the command queries SELinux policies for allow rules involving the httpd_t source type and the file object class.
Querying Rules for a Specific Permission
To query rules for a specific permission, use the -p option.
Example −
sesearch -p write -s httpd_t -c file
In this example, the command queries SELinux policies for rules involving the write permission, the httpd_t source type, and the file object class.
Querying Auditallow Rules
To query auditallow rules, use the --auditallow option.
Example −
sesearch --auditallow -s httpd_t
In this example, the command queries SELinux policies for auditallow rules involving the httpd_t source type.
Querying Dontaudit Rules
To query dontaudit rules, use the --dontaudit option.
Example −
sesearch --dontaudit -s httpd_t
In this example, the command queries SELinux policies for dontaudit rules involving the httpd_t source type.
Querying Role Allow Rules
To query role allow rules, use the --role_allow option.
Example −
sesearch --role_allow
In this example, the command queries SELinux policies for role allow rules.
a. Automating Policy Auditing
You can create scripts to automate the process of auditing SELinux policies using the sesearch command.
Example Script −
#!/bin/bash # Query allow rules for httpd_t source type sesearch --allow -s httpd_t # Query auditallow rules for httpd_t source type sesearch --auditallow -s httpd_t # Query dontaudit rules for httpd_t source type sesearch --dontaudit -s httpd_t
Save this script as audit_policy.sh and make it executable −
chmod +x audit_policy.sh
You can then run the script to automate the policy auditing tasks −
./audit_policy.sh
Troubleshooting of sesearch Command in Linux
If you encounter issues while using the sesearch command, consider the following troubleshooting tips −
Ensure SELinux is Enabled
Ensure that SELinux is enabled on the system. You can check the SELinux status using the sestatus command.
Example −
sestatus
Verify Permissions
Ensure that you have the necessary permissions to access SELinux policy files and execute the sesearch command. You may need to run the command as a superuser (using sudo).
Example −
sudo sesearch --allow -s httpd_t
Check SELinux Policy Files
Ensure that the SELinux policy files are correctly loaded and accessible. You can use the semodule command to list the loaded modules.
Example −
semodule -l
Types of Rules of sesearch Command in Linux
Allow Rules
Allow rules grant access permissions between different types and object classes. They are fundamental to SELinux policies.
Example −
allow httpd_t httpd_sys_content_t:file { read write };
Auditallow Rules
Auditallow rules grant access permissions and log the access event for auditing purposes.
Example −
auditallow httpd_t httpd_sys_content_t:file { read write };
Dontaudit Rules
Dontaudit rules suppress audit logging for the specified access, reducing log noise.
Example −
dontaudit httpd_t httpd_sys_content_t:file { read write };
Role Allow Rules
Role allow rules define role transitions, specifying which roles can transition to other roles.
Example −
roleallow system_r user_r;
Conclusion
When troubleshooting access denials, you can use the sesearch command to query rules involving the source and target types and permissions. SELinux policies are composed of various rules that define access controls and security contexts. The sesearch command helps administrators and security professionals understand and analyze these policies in detail.