From patchwork Sun Aug 9 16:21:08 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11706741 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3517414E3 for ; Sun, 9 Aug 2020 16:21:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E98352068F for ; Sun, 9 Aug 2020 16:21:20 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="RjS/6Gyd" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726200AbgHIQVT (ORCPT ); Sun, 9 Aug 2020 12:21:19 -0400 Received: from mailomta5-sa.btinternet.com ([213.120.69.11]:65275 "EHLO sa-prd-fep-048.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726175AbgHIQVT (ORCPT ); Sun, 9 Aug 2020 12:21:19 -0400 Received: from sa-prd-rgout-005.btmx-prd.synchronoss.net ([10.2.38.8]) by sa-prd-fep-048.btinternet.com with ESMTP id <20200809162110.UCUO4139.sa-prd-fep-048.btinternet.com@sa-prd-rgout-005.btmx-prd.synchronoss.net>; Sun, 9 Aug 2020 17:21:10 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1596990070; bh=KXO5NPCm+jDzudrRjKtgmYaeS9/YWBdKIFTjLVRioNQ=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:MIME-Version; b=RjS/6GydS8kAb6qKriBvO4PuJFVpiNiwjBeX1+1bdwW7Kjd1TkKVlB2skRKA8Ii6xxNaaKp6s+1t1wTtsYQ2QvxOIeGlBUEPQe/5i9wjKY73TWZXUKXugBOKsNZwSvg7Lpu9yBnw6+MCEX/ImhubUw175hpQgF5xSrd8Z26OkT0W80aHKw6nhfA7Td/avqbTPKYMKrFx4gawr2r5343T0AAbZy2P18CQ915dp32mUtM988loaQ9wEbDF3gsk5D2I4vQIkPDYpQ3vmGZR3FMXXY9DUqZtPWNwF4nGqT/J+5irobdm/OTyStvRJaFHT9++Ka88gbj50PUIIRny/vqJQA== Authentication-Results: btinternet.com; auth=pass (PLAIN) smtp.auth=richard_c_haines@btinternet.com X-Originating-IP: [81.147.56.64] X-OWM-Source-IP: 81.147.56.64 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedrkeeigdelkecutefuodetggdotefrodftvfcurfhrohhfihhlvgemuceutffkvffkuffjvffgnffgvefqofdpqfgfvfenuceurghilhhouhhtmecufedtudenucenucfjughrpefhvffufffkofggtgfgsehtkeertdertdernecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeduveeffedutdeuhefgkeehvefhkeffueduffekjefhgfdvueeuffekvedvjefggfenucfkphepkedurddugeejrdehiedrieegnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekuddrudegjedrheeirdeigedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (81.147.56.64) by sa-prd-rgout-005.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9B8A70AE72272; Sun, 9 Aug 2020 17:21:10 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH] selinux-notebook: policy_config_files.md convert to markdown Date: Sun, 9 Aug 2020 17:21:08 +0100 Message-Id: <20200809162108.193636-1-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add a TOC to aid navigation and convert HTML tables to markdown unordered lists. Signed-off-by: Richard Haines --- src/policy_config_files.md | 477 ++++++++++++++++++------------------- 1 file changed, 233 insertions(+), 244 deletions(-) diff --git a/src/policy_config_files.md b/src/policy_config_files.md index b6ae69c..e7fab1e 100644 --- a/src/policy_config_files.md +++ b/src/policy_config_files.md @@ -1,5 +1,37 @@ # Policy Configuration Files +- [setrans.conf](#setrans.conf) +- [*secolor.conf*](#secolor.conf) +- [*policy/policy.\*](#policypolicy.ver) +- [*contexts/customizable_types*](#contextscustomizable_types) +- [*contexts/default_contexts*](#contextsdefault_contexts) +- [*contexts/dbus_contexts*](#contextsdbus_contexts) +- [*contexts/default_type*](#contextsdefault_type) +- [*contexts/failsafe_context*](#contextsfailsafe_context) +- [*contexts/initrc_context*](#contextsinitrc_context) +- [*contexts/lxc_contexts*](#contextslxc_contexts) +- [*contexts/netfilter_contexts* - Obsolete](#contextsnetfilter_contexts---obsolete) +- [*contexts/openrc_contexts*](#contextsopenrc_contexts) +- [*contexts/openssh_contexts*](#contextsopenssh_contexts) +- [*contexts/removable_context*](#contextsremovable_context) +- [*contexts/sepgsql_contexts*](#contextssepgsql_contexts) +- [*contexts/snapperd_contexts*](#contextssnapperd_contexts) +- [*contexts/securetty_types*](#contextssecuretty_types) +- [*contexts/systemd_contexts*](#contextssystemd_contexts) +- [*contexts/userhelper_context*](#contextsuserhelper_context) +- [*contexts/virtual_domain_context*](#contextsvirtual_domain_context) +- [*contexts/virtual_image_context*](#contextsvirtual_image_context) +- [*contexts/x_contexts*](#contextsx_contexts) +- [*contexts/files/file_contexts*](#contextsfilesfile_contexts) +- [*contexts/files/file_contexts.local*](#contextsfilesfile_contexts.local) +- [*contexts/files/file_contexts.homedirs*](#contextsfilesfile_contexts.homedirs) +- [*contexts/files/file_contexts.subs*](#contextsfilesfile_contexts.subs) +- [*contexts/files/file_contexts.subs_dist*](#contextsfilesfile_contexts.subs_dist) +- [*contexts/files/media*](#contextsfilesmedia) +- [*contexts/users/[seuser_id]*](#contextsusersseuser_id) +- [*logins/\*](#loginslinuxuser_id) +- [*users/local.users*](#userslocal.users) + Each file discussed in this section is relative to the policy name as follows: @@ -20,16 +52,16 @@ For example the simple described in the Notebook examples could run at init 3 (i.e. no X-Windows) and only require the following configuration files: -- *./seusers* - For login programs. -- *./policy/policy.<ver>* - The binary policy loaded into the kernel. -- *./context/files/file_contexts* - To allow the filesystem to be relabeled. +- *seusers* - For login programs. +- *policy/policy.\* - The binary policy loaded into the kernel. +- *context/files/file_contexts* - To allow the filesystem to be relabeled. If the simple policy is to run at init 5, (i.e. with X-Windows) then an additional two files are required: -- *./context/dbus_contexts* - To allow the dbus messaging service to run under +- *context/dbus_contexts* - To allow the dbus messaging service to run under SELinux. -- *./context/x_contexts* - To allow the X-Windows service to run under SELinux. +- *context/x_contexts* - To allow the X-Windows service to run under SELinux. ## *seusers* @@ -43,13 +75,13 @@ typical login sequence would be: entry. - To determine the remaining context to be used as the security context, read the - [*./contexts/users/[seuser_id]*](#contextsusersseuser_id) + [*contexts/users/[seuser_id]*](#contextsusersseuser_id) file. If this file is not present, then: - Check for a default context in the - [*./contexts/default_contexts*](#contextsdefault_contexts) + [*contexts/default_contexts*](#contextsdefault_contexts) file. If no default context is found, then: - Read the - [*./contexts/failsafe_context*](#contextsfailsafe_context) file + [*contexts/failsafe_context*](#contextsfailsafe_context) file to allow a fail safe context to be set. Note: The *system_u* user is defined in this file, however there must be @@ -89,9 +121,9 @@ file section. For systems that do use these files: - ***security_set_boolean_list**(3)* - Writes a *boolean.local* file if -flag *permanent* = '*1*'. + flag *permanent* = '*1*'. - ***security_load_booleans**(3)* - Will look for a *booleans* or -*booleans.local* file here unless a specific path is specified. + *booleans.local* file here unless a specific path is specified. Both files have the same format and contain one or more boolean names. @@ -103,19 +135,14 @@ boolean_name value **Where:** - - - - - - - - - - - -
boolean_nameThe name of the boolean.
value

The default setting for the boolean that can be one of the following:

-

true | false | 1 | 0

+*boolean_name* + +- The name of the boolean. + +*value* + +- The default setting for the boolean that can be one of the following: + - *true* | *false* | *1* | *0* Note that if *SETLOCALDEFS* is set in the SELinux [*/etc/selinux/config*](global_config_files.md#etcselinuxconfig) file, then @@ -127,7 +154,7 @@ in the ***selinux_users_path**(3)*. The *booleans.subs_dist* file (if present) will allow new boolean names to be allocated to those in the active policy. This file was added -because many older booleans began with 'allow' that made it difficult to +because many older booleans began with '*allow*' that made it difficult to determine what they did. For example the boolean *allow_console_login* becomes more descriptive as *login_console_enabled*. If the *booleans.subs_dist* file is present, then either name may be used. @@ -143,13 +170,18 @@ policy_bool_name new_name **Where:** -- *policy_bool_name* - The policy boolean name. -- *new_name* - The new boolean name. +*policy_bool_name* + +- The policy boolean name. + +*new_name* + +- The new boolean name. **Example:** ``` -# ./booleans.subs_dist +# booleans.subs_dist allow_auditadm_exec_content auditadm_exec_content allow_console_login login_console_enabled allow_cvs_read_shadow cvs_read_shadow @@ -168,7 +200,7 @@ Supporting libselinux API functions are: - ***security_get_boolean_names**(3)* - ***security_set_boolean**(3)* -## setrans.conf +## *setrans.conf* The ***setrans.conf**(8)* file is used by the ***mcstransd**(8)* daemon (available in the mcstrans rpm). The daemon enables SELinux-aware @@ -244,42 +276,41 @@ context_component string fg_color_name bg_color_name **Where:** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
colorThe color keyword.
color_nameA descriptive name for the colour (e.g. red).
color_maskA colour mask starting with a hash (#) that describes the RGB colours with black being #000000 and white being #ffffff.
context_componentThe colour translation supports different colours on the context string components (user, role, type and range). Each component is on a separate line.
string

This is the context_component string that will be matched with the raw context component passed by selinux_raw_context_to_color(3)

-

A wildcard '*' may be used to match any undefined string for the user, role and type context_component entries only

-

A wildcard '*' may be used to match any undefined string for the user, role and type context_component entries only.

fg_color_name

The color_name string that will be used as the foreground colour.

-

A color_mask may also be used.

bg_color_name

The color_name string that will be used as the background colour.

-

A color_mask may also be used.

+*color* + +- The color keyword. + +*color_name* + +- A descriptive name for the colour (e.g. *red*). + +*color_mask* + +- A colour mask starting with a hash '*#*' that describes the RGB colours + with black being *#000000* and white being *#ffffff*. + +*context_component* + +- The colour translation supports different colours on the context string + components (*user*, *role*, *type* and *range*). Each component is on a + separate line. + +*string* + +- This is the *context_component* string that will be matched with the + *raw* context component passed by ***selinux_raw_context_to_color**(3)*. + A wildcard '*\**' may be used to match any undefined *string* for the + *user*, *role* and *type* *context_component* entries only. + +*fg_color_name* + +- The *color_name* string that will be used as the foreground colour. + A *color_mask* may also be used. + +*bg_color_name* + +- The *color_name* string that will be used as the background colour. + A *color_mask* may also be used.

**Example file contents:** @@ -317,7 +348,7 @@ user : role : type : range black white white black tan orange black green ``` -## *policy/policy.<ver>* +## *policy/policy.\* This is the binary policy file that is loaded into the kernel to enforce policy and is built by either ***checkpolicy**(8)* or ***semodule**(8)*. Life @@ -337,7 +368,7 @@ section. The ***customizable_types**(5)* file contains a list of types that will not be relabeled by the ***setfiles**(8)* or **restorecon**(8) commands. The commands check this file before relabeling and excludes those in the -list unless the -F flag is used (see the man pages). +list unless the *-F* flag is used (see the man pages). **The file format is as follows:** @@ -347,14 +378,11 @@ type **Where:** - - - - - - - -
typeThe type defined in the policy that needs to excluded from relabeling. An example is when a file has been purposely relabeled with a different type to allow an application to work.
+*type* + +- The type defined in the policy that needs to excluded from relabeling. + An example is when a file has been purposely relabeled with a different + type to allow an application to work. **Example file contents:** @@ -384,8 +412,8 @@ login applications) where: been determined as described in the [*seusers*](#seusers) file section. 3. The login applications will check the - [*./contexts/users/[seuser_id]*](#contextsusersseuser_id) file - first and if no valid entry, will then look in the [seuser_id] + [*contexts/users/[seuser_id]*](#contextsusersseuser_id) file + first and if no valid entry, will then look in the *[seuser_id]* file for a default context to use. **The file format is as follows:** @@ -396,16 +424,14 @@ role:type[:range] role:type[:range] ... **Where:** - - - - - - - -
role:type[:range]

The file contains one or more lines that consist of role:type[:range] pairs (including the MLS / MCS level or range if applicable).

-

The entry at the start of a new line corresponds to the partial role:type[:range] context of (generally) the login application.

-

The other role:type[:range] entries on that line represent an ordered list of valid contexts that may be used to set the users context.

+*role:type[:range]* + +- The file contains one or more lines that consist of *role:type[:range]* + pairs (including the MLS / MCS *level* or *range* if applicable). + - The entry at the start of a new line corresponds to the partial + *role:type[:range]* context of (generally) the login application. + - The other *role:type[:range]* entries on that line represent an ordered + list of valid contexts that may be used to set the users context. **Example file contents:** @@ -420,7 +446,7 @@ system_r:xdm_t:s0 user_r:user_t:s0 **Supporting libselinux API functions are:** -Note that the *./contexts/users/[seuser_id]* file is also read by some of +Note that the *contexts/users/[seuser_id]* file is also read by some of these functions. - ***selinux_contexts_path**(3)* @@ -500,14 +526,10 @@ role:type **Where:** - - - - - - - -
role:typeThe file contains one or more lines that consist of role:type entries. There should be one line for each role defined within the policy.
+*role:type* + +- The file contains one or more lines that consist of *role:type* entries. + There should be one line for each role defined within the policy. **Example file contents:** @@ -539,14 +561,10 @@ role:type[:range] **Where:** - - - - - - - -
role:type[:range]A single line that has a valid context to allow an administrator access to the system, including the MLS / MCS level or range if applicable.
+*role:type[:range]* + +- A single line that has a valid context to allow an administrator access + to the system, including the MLS / MCS *level* or *range* if applicable. **Example file contents:** @@ -581,14 +599,10 @@ user:role:type[:range] **Where:** - - - - - - - -
user:role:type[:range]The file contains one line that consists of a security context, including the MLS / MCS level or range if applicable.
+*user:role:type[:range]* + +- The file contains one line that consists of a security context, + including the MLS / MCS *level* or *range* if applicable. **Example file contents:** @@ -618,27 +632,26 @@ content = "security_context" **Where:** - - - - - - - - - - - - - - - - - - - -
processA single process entry that contains the lxc domain security context, including the MLS / MCS level or range if applicable.
fileA single file entry that contains the lxc file security context, including the MLS / MCS level or range if applicable.
contentA single content entry that contains the lxc content security context, including the MLS / MCS level or range if applicable.

sandbox_kvm_process

-

sandbox_lxc_process

These entries may be present and contain the security context.
+*process* + +- A single *process* entry that contains the lxc domain security context, + including the MLS / MCS *level* or *range* if applicable. + +*file* + +- A single *file* entry that contains the lxc file security context, + including the MLS / MCS *level* or *range* if applicable. + +*content* + +- A single *content* entry that contains the lxc content security context, + including the MLS / MCS *level* or *range* if applicable. + +*sandbox_kvm_process* + +*sandbox_lxc_process* + +- These entries may be present and contain the security context. **Example file contents:** @@ -711,14 +724,10 @@ user:role:type[:range] **Where:** - - - - - - - -
user:role:type[:range]The file contains one line that consists of a security context, including the MLS / MCS level or range if applicable.
+*user:role:type[:range]* + +- The file contains one line that consists of a security context, + including the MLS / MCS *level* or *range* if applicable. **Example file contents:** @@ -743,23 +752,22 @@ object_type object_name context **Where:** - - - - - - - - - - - - - - - -
object_typeThis is the string representation of the object type.
object_name

These are the object names of the specific database objects.

-

The entry can contain '*' for wildcard matching or '?' for substitution. Note that if the '*' is used, then be aware that the order of entries in the file is important. The '*' on its own is used to ensure a default fallback context is assigned and should be the last entry in the object_type block.

contextThe security context that will be applied to the object.
+*object_type* + +- This is the string representation of the object type. + +*object_name* + +- These are the object names of the specific database objects. + The entry can contain '*\**' for wildcard matching or '*?*' for + substitution. Note that if the '*\**' is used, then be aware that the order + of entries in the file is important. The '*\**' on its own is used to ensure + a default fallback context is assigned and should be the last entry in the + *object_type* block. + +*context* + +- The security *context* that will be applied to the object. **Example file contents:** @@ -800,14 +808,9 @@ type **Where:** - - - - - - - -
typeZero or more type entries that are defined in the policy for tty devices.
+*type* + +- Zero or more type entries that are defined in the policy for tty devices. **Example file contents:** @@ -833,18 +836,15 @@ service_class = security_context **Where:** - - - - - - - - - - - -
service_classOne or more entries that relate to the systemd service (e.g. runtime, transient).
security_contextThe security context, including the MLS / MCS level or range if applicable of the service to be run.
+*service_class* + +- One or more entries that relate to the ***systemd**(1)* service (e.g. + runtime, transient). + +*security_context* + +- The security context, including the MLS / MCS *level* or *range* if + applicable of the service to be run. **Example file contents:** @@ -860,7 +860,7 @@ runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 ## *contexts/userhelper_context* This file contains the default security context used by the -system-config-* applications when running from root. +system-config-\* applications when running from root. **The file format is as follows:** @@ -870,14 +870,10 @@ security_context **Where:** - - - - - - - -
security_contextThe file contains one line that consists of a full security context, including the MLS / MCS level or range if applicable.
+*security_context* + +- The file contains one line that consists of a full security context, + including the MLS / MCS *level* or *range* if applicable. **Example file contents:** @@ -931,7 +927,7 @@ system_u:object_r:virt_content_t:s0 The ***x_contexts**(5)* file provides the default security contexts for the X-Windows SELinux security extension. The usage is discussed in the -[SELinux X-Windows Support](x_windows.md#x-windows-selinux-support)section. +[SELinux X-Windows Support](x_windows.md#x-windows-selinux-support) section. The MCS / MLS version of the file has the appropriate level or range information added. @@ -944,23 +940,27 @@ selection PRIMARY system_u:object_r:clipboard_xselection_t:s0 **Where:** - - - - - - - - - - - - - - - -
object_typeThese are types of object supported and valid entries are: client, property, poly_property, extension, selection, poly_selection and events.
object_name

These are the object names of the specific X-server resource such as PRIMARY, CUT_BUFFER0 etc. They are generally defined in the X-server source code (protocol.txt and BuiltInAtoms in the dix directory of the xorg-server source package).

-

This can contain '*' for 'any' or '?' for 'substitute' (see the CUT_BUFFER? entry where the '?' would be substituted for a number between 0 and 7 that represents the number of these buffers).

contextThis is the security context that will be applied to the object. For MLS/MCS systems there would be the additional MLS label.
+ +*object_type* + +- These are types of object supported and valid entries are: *client*, + *property*, *poly_property*, *extension*, *selection*, *poly_selection* + and *events*. + +*object_name* + +- These are the object names of the specific X-server resource such as + *PRIMARY*, *CUT_BUFFER0* etc. They are generally defined in the X-server + source code (*protocol.txt* and *BuiltInAtoms* in the *dix* directory of + the *xorg-server* source package). This can contain '*\**' for 'any' + or '*?*' for 'substitute' (see the *CUT_BUFFER?* entry where the '*?*' + would be substituted for a number between 0 and 7 that represents the + number of these buffers). + +*context* + +- This is the security context that will be applied to the object. + For MLS/MCS systems there would be the additional MLS label. **Supporting libselinux API functions are:** @@ -973,12 +973,12 @@ selection PRIMARY system_u:object_r:clipboard_xselection_t:s0 ## *contexts/files/file_contexts* The ***file_contexts**(5)* file is managed by the ***semodule**(8)* and -***semanage**(8)* commands1 +***semanage**(8)* commands[^fn_pcf_1] as the policy is updated (adding or removing modules or updating the base), and therefore should not be edited. The file is used by a number of SELinux-aware commands (***setfiles**(8)*, -***fixfiles**(8)*, ***restorecon**(8)*) to relabel either part or all of the +***fixfiles**(8)*, ***restorecon**(8)* to relabel either part or all of the file system. Note that users home directory file contexts are not present in this @@ -1037,8 +1037,8 @@ Perl compatible regular expression (PCRE) internal format. - ***selinux_file_context_homedir_path**(3)* - ***selinux_homedir_context_path**(3)* -## contexts/files/file_contexts.subs -## contexts/files/file_contexts.subs_dist +## *contexts/files/file_contexts.subs* +## *contexts/files/file_contexts.subs_dist* These files allow substitution of file names (*.subs* for local use and *.subs_dist* for GNU / Linux distributions use) for the *libselinux* @@ -1083,18 +1083,14 @@ media_id file_context **Where:** - - - - - - - - - - - -
media_idThe media identifier (those known are: cdrom, floppy, disk and usb).
file_contextThe context to be used for the device. Note that it does not have the MLS / MCS level).
+*media_id* + +- The media identifier (those known are: cdrom, floppy, disk and usb). + +*file_context* + +- The context to be used for the device. Note that it does not have the + MLS / MCS level). **Example file contents:** @@ -1145,7 +1141,7 @@ system_r:init_t:s0 unconfined_r:unconfined_t:s0 - ***get_ordered_context_list**(3)* - ***get_ordered_context_list_with_level**(3)* -## *logins/<linuxuser_id>* +## *logins/\* These optional files are used by SELinux-aware login applications such as PAM (using the *pam_selinux* module) to obtain an SELinux user name @@ -1170,27 +1166,22 @@ service_name:seuser_id:level **Where:** - - - - - - - - - - - - - - - -
service_nameThe name of the service.
seuser_idThe SELinux user name.
levelThe run level
+*service_name* + +- The name of the service. + +*seuser_id* + +- The SELinux user name. + +*level* + +- The run level **Example file contents:** ``` -# ./logins/ipa example entries +# logins/ipa example entries ipa_service:user_u:s0 another_service:unconfined_u:s0 ``` @@ -1199,7 +1190,7 @@ another_service:unconfined_u:s0 - ***getseuser**(3)* -## users/local.users +## *users/local.users* **NOTE: These were removed in libselinux 3.0** @@ -1218,11 +1209,9 @@ Note that if *SETLOCALDEFS* is set in the SELinux in the ***selinux_booleans_path**(3)*, and also a *local.users* file in the ***selinux_users_path**(3)*. -
-
    -

  1. As each module would have its own file_contexts component that is either added or removed from the policies overall /etc/selinux/<SELINUXTYPE>/contexts/ files/file_contexts file.

    2. -
-
+[^fn_pcf_1]: As each module would have its own *file_contexts* component that +is either added or removed from the policies overall +*/etc/selinux/\/contexts/files/file_contexts* file.