[01/19] policycoreutils/sepolicy: Add documentation for MCS separated domains
diff mbox

Message ID 20170503103036.17514-2-plautrba@redhat.com
State Not Applicable
Headers show

Commit Message

Petr Lautrbach May 3, 2017, 10:30 a.m. UTC
From: Dan Walsh <dwalsh@redhat.com>

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 python/sepolicy/sepolicy/manpage.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

Patch
diff mbox

diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 1af4295c..3ebdfeb7 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -504,6 +504,7 @@  class ManPage:
             self._booleans()
 
         self._port_types()
+        self._mcs_types()
         self._writes()
         self._footer()
 
@@ -527,6 +528,7 @@  class ManPage:
         self._header()
         self._entrypoints()
         self._process_types()
+        self._mcs_types()
         self._booleans()
         self._nsswitch_domain()
         self._port_types()
@@ -923,6 +925,17 @@  All executeables with the default executable label, usually stored in /usr/bin a
         self.fd.write("""
 %s""" % ", ".join(paths))
 
+    def _mcs_types(self):
+        attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
+        if "mcs_constrained_type" not in attributes:
+            return
+        self.fd.write ("""
+.SH "MCS Constrained"
+The SELinux process type %(type)s_t is an MCS (Multi Category Security) constrained type.  Sometimes this separation is referred to as sVirt. These types are usually used for securing multi-tenant environments, such as virtualization, containers or separation of users.  The tools used to launch MCS types, pick out a different MCS label for each process group.
+
+For example one process might be launched with %(type)s_t:s0:c1,c2, and another process launched with %(type)s_t:s0:c3,c4. The SELinux kernel only allows these processes can only write to content with a matching MCS label, or a MCS Label of s0. A process running with the MCS level of s0:c1,c2 is not allowed to write to content with the MCS label of s0:c3,c4
+""" % {'type': self.domainname})
+
     def _writes(self):
         permlist = sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['open', 'write'], 'class': 'file'})
         if permlist is None or len(permlist) == 0: