EnglishFrenchSpanish

OnWorks favicon

sechecker - Online in the Cloud

Run sechecker in OnWorks free hosting provider over Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

This is the command sechecker that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

PROGRAM:

NAME


sechecker - SELinux policy checking tool

SYNOPSIS


sechecker [OPTIONS] -p profile [POLICY ...]
sechecker [OPTIONS] -m module [POLICY ...]
sechecker [OPTIONS] -p profile -m module [POLICY ...]

DESCRIPTION


sechecker allows the user to perform predefined modular checks on a SELinux policy.
Profiles exist to group modules together and allow modification of module settings (see
below).

POLICY


sechecker supports loading a SELinux policy in one of four formats.

source A single text file containing policy source for versions 12 through 21. This file
is usually named policy.conf.

binary A single file containing a monolithic kernel binary policy for versions 15 through
21. This file is usually named by version - for example, policy.20.

modular
A list of policy packages each containing a loadable policy module. The first
module listed must be a base module.

policy list
A single text file containing all the information needed to load a policy, usually
exported by SETools graphical utilities.

If no policy file is provided, sechecker will search for the system default policy:
checking first for a source policy, next for a binary policy matching the running kernel's
preferred version, and finally for the highest version that can be found. In the latter
case, the policy will be downgraded to match the running system. If no policy can be
found, sechecker will print an error message and exit.

OPTIONS


-p PROFILE, --profile=PROFILE
Load module settings from a module profile. The settings in the profile will
override the default settings for all specified modules. If specified without -m,
run all modules in the profile. PROFILE may either be the name of a known profile
(see --list) or the path to a user created profile. see PROFILE OPTIONS below for
more information about creating profiles.

-m MODULE, --module=MODULE
Run only the module named MODULE (see --list).

--min-sev=SEVERITY
Report only results with the minimum severity of SEVERITY. SEVERITY must have one
of the following values:

low The module's results indicate a flaw in the policy that does not affect the
manner in which the policy is enforced, but is considered to be improper.

med The module's results indicate a flaw in the policy that changes the manner
in which the policy is enforced; however, it does not present an
identifiable security risk.

high The module's results indicate a flaw in the policy that presents an
identifiable security risk.

--fcfile=FILE
Use FILE for the file_contexts file instead of the system default. This flag is
only applicable if sechecker was configured with the --enable-sefs flag.

-l, --list
Print a list of the name and a brief description of all known profiles and modules
and exit.

-h[MODULE], --help[=MODULE]
Print general help information and exit. If MODULE is provided, print help
information for the module named MODULE and exit.

-V, --version
Print version information and exit.

REPORT GENERATION OPTIONS
Only one of the following may be provided to specify the length of the report for all
modules. If provided, this option overrides both profile and module default output
settings.

-q, --quiet
suppress output

-s, --short
print short output

-v, --verbose
print verbose output

PROFILE OPTIONS


Profiles are used to group modules together, to specify the output format for each module
in the report, and to provide the ability to override the modules' default options. Each
profile is a well-formed XML document, as specified by the DTD installed with sechecker.
An example profile follows:

<sechecker version="1.1">
<profile>
<module name="find_domains">
<output value="quiet"/>
<option name="domain_attribute">
<item value="domain"/>
<item value="user_domain"/>
...
</option>
</module>
...
</profile>
</sechecker>

The example profile specifies the output property for the find_domains module. The
example profile also overrides the default value for the "domain_attribute" option in the
find_domains module.

PROFILE OUTPUT OPTIONS
The valid output values for each module are specified below:

verbose
Print each result in the report with accompanying proof(s).

short Print a list of results with no accompanying proof.

none Do not print output from this module in the report; however, module errors will
still be printed.

quiet Do not print output from this module in the report and do not print errors. This is
useful for utility modules for which the calling module handles any errors.

PROFILE MODULE OPTIONS
Several modules provide one or more options that can be set from a profile. Each option
has one or more items. To check what options are available for a module use
--help=MODULE, where MODULE is the name of the module as printed by --list.

Use sechecker online using onworks.net services


Free Servers & Workstations

Download Windows & Linux apps

Linux commands

Ad