sechecker [OPTIONS] -p profile Run profile

sechecker [OPTIONS] -m module -p profile Run module with profile

sechecker allows the user to perform predefined modular checks on a SELinux policy. Profiles exist to group modules together and allow modification of module settings (see below).

-l, --list

print a list of profiles and modules

-q, --quiet

suppress output

-s, --short

print short output

-v, --verbose

print verbose output

--version

print version and exit

--fcfile=<file>

file_contexts file

--policy=<file>

policy file

-h[mod], --help[=module]

print general help or help for a module

-m <mod>, --module=<mod>

module name

-p <prof>, --profile=<prof>

profile name or path

--min-sev=<low|med|high>

the minimum severity to report

<sechecker version="1.1">

<profile>

<module name="find_domains">

<output value="quiet"/>

<option name="domain_attribute">

<item value="domain"/>

<item value="user_domain"/>

...

</option>

</module>

...

</profile>

</sechecker>

The example profile specifies the output property for the find_domains module. The valid output values for each module are specified below:

verbose:

prints each result in the report with an accompanying proof

short:

prints a list of results without an accompanying proof

none:

does not print output in the report, however module errors will be printed

quiet:

does not print output in the report and does not print errors, (this is usefull for utility modules for which the calling module handles the errors)

The example profile also overrides the default value for the "domain_attribute" option in the find_domains module.