System
sesearch
Search SELinux policy rules.
Additional Notes
sesearch searches SELinux policy rules for specific types, classes, permissions, or roles. It is part of the setools-console package and allows administrators to find the allow rules, type transitions, role transitions, and other policy statements that govern access control.
Understanding SELinux denials (AVC messages) often requires searching the policy to find why access was granted or denied. sesearch is the primary tool for this, allowing you to query what a domain can access or what can access a domain.
Syntax
sesearch [options] [expression]
Parameters
options: Flags that change howsesearchbehaves.target: Optional file, device, interface, user, service, or command target when the command supports one.
Common Options
-A,--allow: Search for allow rules.--neverallow: Search for neverallow rules.--audit: Search for auditallow rules.--dontaudit: Search for dontaudit rules.-T,--type_trans: Search for type transition rules.-R,--role_trans: Search for role transition rules.-s source: Specify the source type (domain).-t target: Specify the target type.-c class: Specify the object class.-p perms: Specify permissions (comma-separated).-d,--direct: Search in the direct policy, not expanded.-b boolean: Search for rules conditional on a boolean.--eregex: Interpret type/class names as extended regular expressions.
Examples
sesearch -A -s httpd_t
Find all allow rules where httpd_t is the source domain.
sesearch -A -t httpd_sys_content_t
Find all allow rules that target the httpd_sys_content_t type.
sesearch -A -s httpd_t -t port_t -c tcp_socket -p name_connect
Search for rules allowing httpd_t to connect to TCP sockets labeled port_t.
sesearch -T -s initrc_t
Find type transition rules where initrc_t is the source.
sesearch --dontaudit -s httpd_t
Find dontaudit rules for httpd_t (rules that suppress denials).
Practical Notes
- AVC denial messages in
/var/log/audit/audit.logcontain the source type (scontext), target type (tcontext), class, and permission that was denied. - Use
sesearchwith-A -s source_type -t target_typeto see if an allow rule exists for a denied access. - The
-dflag shows only rules defined in the loaded policy module, not inherited base rules. - Boolean names found with
-bcan be used withsetseboolto toggle conditional rules. sesearchrequires thesetools-consolepackage.