avc_compute_member - Linux
Overview
avc_compute_member
computes the primary or secondary membership of a SID. It is able to resolve SIDs to membership in SELinux security contexts.
Syntax
avc_compute_member [--version] [--verbose] [--version]
[-s sid] [-c context] [-r] [-l] [-p]
[--list] [--binary] [--description]
[--explicit] [--output=outfile]
Options/Flags
- -s sid: Specify the SID to resolve; required when
-c
not given. - -c context: Specify the context for which to compute membership; required when
-s
not given. - -r: Recursively compute membership. Membership is computed by resolving children of the specified SID or context up the chain of membership.
- -l: Print level of membership for each SID.
- -p: Print the SID of the member, not the textual name.
- –list: List the available SIDs to resolve membership in.
- –binary: Produce a binary output suitable for use as policy.
- –description: Print a description of each SID.
- –explicit: Only print members for which the given SID or context is explicitly specified.
- –output=outfile: Specify the file to which to write the output.
Examples
Compute the membership of the user_sid
SID:
avc_compute_member -s user_sid
Compute the membership of the initrc
context:
avc_compute_member -c initrc
Recursively compute the membership of the user_sid
SID:
avc_compute_member -s user_sid -r
Print the membership of the user_sid
SID in binary format:
avc_compute_member -s user_sid --binary
List the available SIDs to resolve membership in:
avc_compute_member --list
Common Issues
If the context given does not exist, the command will return an error.
Integration
avc_compute_member
can be combined with other tools to perform complex security analysis tasks. For example, it can be used to generate a list of all SIDs that have membership in a given context.
Related Commands
avc_check
audit2allow