Chapter 5. The sepolicy Suite

The sepolicy utility provides a suite of features to query the installed SELinux policy. These features are either new or were previously provided by separate utilities, such as sepolgen or setrans. The suite allows you to generate transition reports, man pages, or even new policy modules, thus giving users easier access and better understanding of the SELinux policy.
The policycoreutils-devel package provides sepolicy. Run the following command as the root user to install sepolicy:
~]# yum install policycoreutils-devel
The sepolicy suite provides the following features that are invoked as command-line parameters:

Table 5.1. The sepolicy Features

FeatureDescription
booleansQuery the SELinux Policy to see description of Booleans
communicateQuery the SELinux policy to see if domains can communicate with each other
generateGenerate an SELinux policy module template
guiGraphical User Interface for SELinux Policy
interfaceList SELinux Policy interfaces
manpageGenerate SELinux man pages
networkQuery SELinux policy network information
transitionQuery SELinux policy and generate a process transition report

5.1. The sepolicy Python Bindings

In previous versions of Red Hat Enterprise Linux, the setools package included the sesearch and seinfo utilities. The sesearch utility is used for searching rules in a SELinux policy while the seinfo utility allows you to query various other components in the policy.
In Red Hat Enterprise Linux 7, Python bindings for sesearch and seinfo have been added so that you can use the functionality of these utilities through the sepolicy suite. See the example below:
> python
>>> import sepolicy
>>> sepolicy.info(sepolicy.ATTRIBUTE)
Returns a dictionary of all information about SELinux Attributes
>>>sepolicy.search([sepolicy.ALLOW])
Returns a dictionary of all allow rules in the policy.