Product SiteDocumentation Site

Chapter 5. The sepolicy Suite

5.1. The sepolicy Python Bindings
5.2. Generating SELinux Policy Modules: sepolicy generate
5.3. Prioritizing SELinux Policy Modules
5.4. Understanding Domain Transitions: sepolicy transition
5.5. Generating Manual Pages: sepolicy manpage
The sepolicy utility provides a suite of features to query the installed SELinux policy. These features are either new or were previously provided by separate utilities, such as sepolgen or setrans. The suite allows you to generate transition reports, man pages, or even new policy modules, thus giving users easier access and better understanding of the SELinux policy.
The policycoreutils-devel package provides sepolicy. Run the following command as the root user to install sepolicy:
~]# dnf install policycoreutils-devel
The sepolicy suite provides the following features that are invoked as command-line parameters:
Table 5.1. The sepolicy Features
Feature Description
booleans Query the SELinux Policy to see description of Booleans
communicate Query the SELinux policy to see if domains can communicate with each other
generate Generate an SELinux policy module template
gui Graphical User Interface for SELinux Policy
interface List SELinux Policy interfaces
manpage Generate SELinux man pages
network Query SELinux policy network information
transition Query SELinux policy and generate a process transition report

5.1. The sepolicy Python Bindings

In previous versions of Fedora, the setools package included the sesearch and seinfo utilities. The sesearch utility is used for searching rules in a SELinux policy while the seinfo utility allows you to query various other components in the policy.
In Fedora 25, Python bindings for sesearch and seinfo have been added so that you can use the functionality of these utilities via the sepolicy suite. See the example below:
> python
>>> import sepolicy
>>> sepolicy.info(sepolicy.ATTRIBUTE)
Returns a dictionary of all information about SELinux Attributes
>>>sepolicy.search([sepolicy.ALLOW])
Returns a dictionary of all allow rules in the policy.