SELinux Policy Checker Tool Help File
This file contains the basic help information for using sechecker, a
program that runs a series of policy checks (modules) on a policy.
Sechecker is designed to be extensible and configurable so that
developers can easily add new policy checks and configure them to run
in batches with different options.
Each module analyzes a policy. If a policy is not specified on the
command line, the tool uses the system policy by default. In
addition, some checks will require the file_contexts file in order to
run correctly. If the file_contexts file is not specified, the tool
will default to using the system file_contexts file by default.
Checks can be run one at a time on the command line (by specifying a
module) or in a batch (by specifying a profile). The user can create
a custom profile to specify which modules to run, as well as the
The return value of sechecker indicates whether a check failed on the
policy. Therefore sechecker may be used in shell scripts or makefiles
to do conditional branching.
Sechecker generates a report with the output of each module that was
run. The report includes an explanation of each module, the modules'
severity, and the modules' results. There are three output options to
specify what gets included in the report.
1) quiet - do not print the report
2) short - print the list of results for each module
3) verbose - print the list of results for each module and the list of
proofs for each result
A module encapsulates a single check on the policy. Modules may take
options from the current profile; if no profile is given then modules
will use default values. See the help for the specific module(s) to
determine the parameters that may be overridden in a profile.
Each module has a specified severity (high, med, low). These are
defined as follows:
1) "high": The module's results indicate an identifiable security
risk in the SELinux policy.
2) "med": The module's results indicate a flaw in the SELinux policy
that changes the manner in which the policy is enforced; however,
it does not present an identifiable security risk.
3) "low": The module's results indicate a flaw in the policy that
does not affect the manner in which the policy is enforced, but is
considered to be improper.
Three profiles are installed with the sechecker program:
1) development: This profile includes several policy checks of low
and med severity. The checks are common tasks that a policy
developer will consider helpful for writing good policy.
2) analysis: This profile includes several policy checks of med and
low severity that are of higher computational complexity than the
development profile and is not meant to be used frequently by
3) all: This profile runs all known modules.
Profiles can be created to run any set of modules with different
options. The profile can specify the output format for each module.
The user may specify a minimum module severity to report. For
example, if the minimum severity is "med" and the "all" profile is
used, all modules that are "med" or "high" will be run and the results
for those modules will be reported by sechecker. The "low" severity
modules listed in the profile will be ignored.