| Message ID | 20230524111535.1743163-4-vmojzis@redhat.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Petr Lautrbach |
| Headers | show |
| Series | [1/5] policycoreutils: Add examples to man pages | expand |
Vit Mojzis <vmojzis@redhat.com> writes: > Signed-off-by: Vit Mojzis <vmojzis@redhat.com> > --- > checkpolicy/checkpolicy.8 | 15 +++++++++++++-- > 1 file changed, 13 insertions(+), 2 deletions(-) > > diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8 > index 2984c238..aefa148c 100644 > --- a/checkpolicy/checkpolicy.8 > +++ b/checkpolicy/checkpolicy.8 > @@ -12,8 +12,8 @@ command. > .PP > .B checkpolicy > is a program that checks and compiles a SELinux security policy configuration > -into a binary representation that can be loaded into the kernel. If no > -input file name is specified, > +into a binary representation that can be loaded into the kernel. > +If no input file name is specified, > .B checkpolicy > will attempt to read from policy.conf or policy, depending on whether the \-b > flag is specified. > @@ -64,6 +64,17 @@ Show version information. > .B \-h,\-\-help > Show usage information. > > +.SH EXAMPLE > +.nf > +Generate policy.conf based on the system policy > +# checkpolicy -b -M -F /etc/selinux/targeted/policy/policy.* -o policy.conf Would not work on a system with multiple policy files: # ls -l /etc/selinux/targeted/policy/ total 7016 -rw-r--r--. 1 root root 3590656 May 31 16:42 policy.32 -rw-r--r--. 1 root root 3590656 May 29 08:22 policy.33 # checkpolicy -b -M -F /etc/selinux/targeted/policy/policy.* -o policy.conf usage: checkpolicy [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] [-c policyvers (15-33)] [-o output_file|-] [-S] [-O] [-t target_platform (selinux,xen)] [-E] [-V] [input_file] In EXAMPLES I think it's safe to use policy.33 everywhere. > +Recompile system policy so that unknown permissions are denied (uses policy.conf from ^^). > +Note that binary policy extension represents its version, which is subject to change > +# checkpolicy -M -U deny -o /etc/selinux/targeted/policy/policy.33 policy.conf > +# load_policy > +Generate CIL representation of current system policy > +# checkpolicy -b -M -C /etc/selinux/targeted/policy/policy.* -o policy.out > + > .SH "SEE ALSO" > SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki > > -- > 2.40.0
diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8 index 2984c238..aefa148c 100644 --- a/checkpolicy/checkpolicy.8 +++ b/checkpolicy/checkpolicy.8 @@ -12,8 +12,8 @@ command. .PP .B checkpolicy is a program that checks and compiles a SELinux security policy configuration -into a binary representation that can be loaded into the kernel. If no -input file name is specified, +into a binary representation that can be loaded into the kernel. +If no input file name is specified, .B checkpolicy will attempt to read from policy.conf or policy, depending on whether the \-b flag is specified. @@ -64,6 +64,17 @@ Show version information. .B \-h,\-\-help Show usage information. +.SH EXAMPLE +.nf +Generate policy.conf based on the system policy +# checkpolicy -b -M -F /etc/selinux/targeted/policy/policy.* -o policy.conf +Recompile system policy so that unknown permissions are denied (uses policy.conf from ^^). +Note that binary policy extension represents its version, which is subject to change +# checkpolicy -M -U deny -o /etc/selinux/targeted/policy/policy.33 policy.conf +# load_policy +Generate CIL representation of current system policy +# checkpolicy -b -M -C /etc/selinux/targeted/policy/policy.* -o policy.out + .SH "SEE ALSO" SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki
Signed-off-by: Vit Mojzis <vmojzis@redhat.com> --- checkpolicy/checkpolicy.8 | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-)