Chapter 5. The sepolicy Suite
sepolicyutility provides a suite of features to query the installed SELinux policy. These features are either new or were previously provided by separate utilities, such as
setrans. The suite allows you to generate transition reports, man pages, or even new policy modules, thus giving users easier access and better understanding of the SELinux policy.
The policycoreutils-devel package provides
sepolicy. Enter the following command as the root user to install
yum install policycoreutils-devel
sepolicysuite provides the following features that are invoked as command-line parameters:
Table 5.1. The
|booleans||Query the SELinux Policy to see description of Booleans|
|communicate||Query the SELinux policy to see if domains can communicate with each other|
|generate||Generate an SELinux policy module template|
|gui||Graphical User Interface for SELinux Policy|
|interface||List SELinux Policy interfaces|
|manpage||Generate SELinux man pages|
|network||Query SELinux policy network information|
|transition||Query SELinux policy and generate a process transition report|
sepolicy Python Bindings
In previous versions of Red Hat Enterprise Linux, the setools package included the
sesearchutility is used for searching rules in a SELinux policy while the
seinfoutility allows you to query various other components in the policy.
In Red Hat Enterprise Linux 7, Python bindings for
seinfohave been added so that you can use the functionality of these utilities through the
sepolicysuite. See the example below:
> python >>> import sepolicy >>> sepolicy.info(sepolicy.ATTRIBUTE) Returns a dictionary of all information about SELinux Attributes >>>sepolicy.search([sepolicy.ALLOW]) Returns a dictionary of all allow rules in the policy.