From patchwork Wed Sep  2 13:17:26 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Richard Haines <richard_c_haines@btinternet.com>
X-Patchwork-Id: 11750633
Return-Path: <SRS0=YX5s=CL=vger.kernel.org=selinux-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3F73C109B
	for <patchwork-selinux@patchwork.kernel.org>;
 Wed,  2 Sep 2020 13:21:51 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id EBD222083B
	for <patchwork-selinux@patchwork.kernel.org>;
 Wed,  2 Sep 2020 13:21:50 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com
 header.b="rcFLUH5k"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726948AbgIBNU7 (ORCPT
        <rfc822;patchwork-selinux@patchwork.kernel.org>);
        Wed, 2 Sep 2020 09:20:59 -0400
Received: from mailomta4-sa.btinternet.com ([213.120.69.10]:23987 "EHLO
        sa-prd-fep-042.btinternet.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1727783AbgIBNSy (ORCPT
        <rfc822;selinux@vger.kernel.org>); Wed, 2 Sep 2020 09:18:54 -0400
Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6])
          by sa-prd-fep-042.btinternet.com with ESMTP
          id
 <20200902131744.VSYZ26396.sa-prd-fep-042.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>;
          Wed, 2 Sep 2020 14:17:44 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com;
 s=btmx201904; t=1599052664;
        bh=4CuCl3ZGb3eXUCF7I0EoQVrYtT38Ut+MJdeqNvA/lBY=;
        h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version;
        b=rcFLUH5k2p4QJljufHs2Yce6uPJrb5iS+4RkrdGBNqgighh5YJVz1nIL1EERUTd1dqGypJLhsoBzwmLmjHfJtUy9jkkfEP6tVVlXKVK47rLM96CdObO6Bmdb4FUqEQNvYczOd9J1KO/E9sDoQR4E19ng2+8rrKYOg/e7pEDrjuy1OLqIcQQ8582vNB8Y5AJ10o905bOFcfYuDdleDy30RTHEPjlRbW874zqMIKt38Uqdte3oGOV8IB5PtVIdH5BWggiyXxYC5bCDme8yyXkt3G2rEdu98QqTyFobbhwOnuGLH6KXf+BhBSanBKCpTvzW6nX7jckc5x/Y/XKzcHcrTQ==
Authentication-Results: btinternet.com; none
X-Originating-IP: [109.155.32.197]
X-OWM-Source-IP: 109.155.32.197 (GB)
X-OWM-Env-Sender: richard_c_haines@btinternet.com
X-VadeSecure-score: verdict=clean score=0/300, class=clean
X-RazorGate-Vade: 
 gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfgggtgfesthekredtredtjeenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnhepieduteeiteeiteejgfeiueejfedvueduvdelkeetudegleekffetgfdvjedvfeeknecuffhomhgrihhnpegtohhnthgvgihtrdhlohgtrghlnecukfhppedutdelrdduheehrdefvddrudeljeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopehlohgtrghlhhhoshhtrdhlohgtrghlughomhgrihhnpdhinhgvthepuddtledrudehhedrfedvrdduleejpdhmrghilhhfrhhomhepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqedprhgtphhtthhopeeophgruhhlsehprghulhdqmhhoohhrvgdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuqfftvefrvfeprhhftgekvddvnehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepoehsvghlihhnuhigsehv
        ghgvrhdrkhgvrhhnvghlrdhorhhgqe
X-RazorGate-Vade-Verdict: clean 0
X-RazorGate-Vade-Classification: clean
X-SNCR-hdrdom: btinternet.com
Received: from localhost.localdomain (109.155.32.197) by
 sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as
 richard_c_haines@btinternet.com)
        id 5ED9AFBE0EF36B6E; Wed, 2 Sep 2020 14:17:44 +0100
From: Richard Haines <richard_c_haines@btinternet.com>
To: paul@paul-moore.com, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH 01/13] libselinux_functions: Convert to markdown
Date: Wed,  2 Sep 2020 14:17:26 +0100
Message-Id: <20200902131738.18425-2-richard_c_haines@btinternet.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com>
References: <20200902131738.18425-1-richard_c_haines@btinternet.com>
MIME-Version: 1.0
Sender: selinux-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

Convert to markdown

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/libselinux_functions.md | 2179 ++++++++++++++++++-----------------
 1 file changed, 1092 insertions(+), 1087 deletions(-)

diff --git a/src/libselinux_functions.md b/src/libselinux_functions.md
index 9cae37a..b06018a 100644
--- a/src/libselinux_functions.md
+++ b/src/libselinux_functions.md
@@ -2,1096 +2,1101 @@
 
 These functions have been taken from the following header files of
 *libselinux* version 3.0:
--   */usr/include/selinux/avc.h*
--   */usr/include/selinux/context.h*
--   */usr/include/selinux/get_context_list.h*
--   */usr/include/selinux/get_default_type.h*
--   */usr/include/selinux/label.h*
--   */usr/include/selinux/restorecon.h*
--   */usr/include/selinux/selinux.h*
+
+- */usr/include/selinux/avc.h*
+- */usr/include/selinux/context.h*
+- */usr/include/selinux/get_context_list.h*
+- */usr/include/selinux/get_default_type.h*
+- */usr/include/selinux/label.h*
+- */usr/include/selinux/restorecon.h*
+- */usr/include/selinux/selinux.h*
 
 The appropriate ***man**(3)* pages should consulted for detailed usage.
 
-<table>
-<tbody>
-<tr style="background-color:#F2F2F2;">
-<td><strong>Function Name</strong></td>
-<td><strong>Description</strong></td>
-<td><strong>Header File</strong></td>
-</tr>
-<tr>
-<td>avc_add_callback</td>
-<td>Register a callback for security events.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_audit</td>
-<td>Audit the granting or denial of permissions in accordance with the policy. This function is typically called by <strong>avc_has_perm</strong>(3) after a permission check, but can also be called directly by callers who use <strong>avc_has_perm_noaudit</strong>(3) in order to separate the permission check from the auditing. For example, this separation is useful when the permission check must be performed under a lock, to allow the lock to be released before calling the auditing code.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_av_stats</td>
-<td>Log AV table statistics. Logs a message with information about the size and distribution of the access vector table. The audit callback is used to print the message.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_cache_stats</td>
-<td>Get cache access statistics. Fill the supplied structure with information about AVC activity since the last call to <strong>avc_init</strong>(3) or <strong>avc_reset</strong>(3).</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_cleanup</td>
-<td><p>Remove unused SIDs and AVC entries.</p>
-<p>Search the SID table for SID structures with zero reference counts, and remove them along with all AVC entries that reference them. This can be used to return memory to the system.</p></td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_compute_create</td>
-<td>Compute SID for labeling a new object. Call the security server to obtain a context for labeling a new object. Look up the context in the SID table, making a new entry if not found.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_compute_member</td>
-<td><p>Compute SID for polyinstantation.</p>
-<p>Call the security server to obtain a context for labeling an object instance. Look up the context in the SID table, making a new entry if not found.</p></td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td><p>avc_context_to_sid</p>
-<p>avc_context_to_sid_raw</p></td>
-<td>Get SID for context. Look up security context <em>ctx</em> in SID table, making a new entry if <em>ctx</em> is not found. Store a pointer to the SID structure into the memory referenced by <em>sid</em>, returning 0 on success or -1 on error with <em>errno</em> set.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_destroy</td>
-<td><p>Free all AVC structures.</p>
-<p>Destroy all AVC structures and free all allocated memory. User-supplied locking, memory, and audit callbacks will be retained, but security-event callbacks will not. All SID's will be invalidated. User must call <strong>avc_init</strong>(3) if further use of AVC is desired.</p></td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_entry_ref_init</td>
-<td><p>Initialize an AVC entry reference.</p>
-<p>Use this macro to initialize an avc entry reference structure before first use. These structures are passed to <strong>avc_has_perm</strong>(3), which stores cache entry references in them. They can increase performance on repeated queries.</p></td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_get_initial_sid</td>
-<td><p>Get SID for an initial kernel security identifier.</p>
-<p>Get the context for an initial kernel security identifier specified by name using <strong>security_get_initial_context</strong>(3) and then call <strong>avc_context_to_sid</strong>(3) to get the corresponding SID.</p></td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_has_perm</td>
-<td><p>Check permissions and perform any appropriate auditing.</p>
-<p>Check the AVC to determine whether the requested permissions are granted for the SID pair (ssid, tsid), interpreting the permissions based on tclass, and call the security server on a cache miss to obtain a new decision and add it to the cache. Update aeref to refer to an AVC entry with the resulting decisions. Audit the granting or denial of permissions in accordance with the policy. Return 0 if all requested permissions are granted, -1 with errno set to EACCES if any permissions are denied or to another value upon other errors.</p></td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_has_perm_noaudit</td>
-<td>Check permissions but perform no auditing. Check the AVC to determine whether the requested permissions are granted for the SID pair (ssid, tsid), interpreting the permissions based on tclass, and call the security server on a cache miss to obtain a new decision and add it to the cache. Update aeref to refer to an AVC entry with the resulting decisions, and return a copy of the decisions in avd. Return 0 if all requested permissions are granted, -1 with errno set to EACCES if any permissions are denied, or to another value upon other errors. This function is typically called by <strong>avc_has_perm</strong>(3), but may also be called directly to separate permission checking from auditing, e.g. in cases where a lock must be held for the check but should be released for the auditing.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_init (deprecated)</td>
-<td><p>Use <em>avc_open</em></p>
-<p>Initialize the AVC. Initialize the access vector cache. Return 0 on success or -1 with errno set on failure. If msgprefix is NULL, use "uavc". If any callback structure references are NULL, use default methods for those callbacks (see the definition of the callback structures).</p></td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_netlink_acquire_fd</td>
-<td>Create a netlink socket and connect to the kernel.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_netlink_check_nb</td>
-<td>Wait for netlink messages from the kernel.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_netlink_close</td>
-<td>Close the netlink socket.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_netlink_loop</td>
-<td>Acquire netlink socket fd. Allows the application to manage messages from the netlink socket in its own main loop.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_netlink_open</td>
-<td>Release netlink socket fd. Returns ownership of the netlink socket to the library.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_netlink_release_fd</td>
-<td>Check netlink socket for new messages. Called by the application when using <em><strong>avc_netlink_acquire_fd</strong>(3)</em> to process kernel netlink events.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_open</td>
-<td>Initialize the AVC. This function is identical to <strong>avc_init</strong>(3) except the message prefix is set to "avc" and any callbacks desired should be specified via <strong>selinux_set_callback</strong>(3).</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_reset</td>
-<td>Flush the cache and reset statistics. Remove all entries from the cache and reset all access statistics (as returned by <strong>avc_cache_stats</strong>(3)) to zero. The SID mapping is not affected. Return 0 on success, -1 with errno set on error.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>avc_sid_stats</td>
-<td>Log SID table statistics. Log a message with information about the size and distribution of the SID table. The audit callback is used to print the message.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td><p>avc_sid_to_context</p>
-<p>avc_sid_to_context_raw</p></td>
-<td>Get copy of context corresponding to SID. Return a copy of the security context corresponding to the input sid in the memory referenced by ctx. The caller is expected to free the context with <strong>freecon</strong>(3). Return 0 on success, -1 on failure, with errno set to ENOMEM if insufficient memory was available to make the copy, or EINVAL if the input SID is invalid.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>checkPasswdAccess (deprecated)</td>
-<td><p>Use <em><strong>selinux_check_passwd_access</strong>(3)</em> or preferably <em><strong>selinux_check_access</strong>(3)</em></p>
-<p>Check a permission in the passwd class. Return 0 if granted or -1 otherwise.</p></td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>context_free</td>
-<td>Free the storage used by a context.</td>
-<td>context.h</td>
-</tr>
-<tr>
-<td>context_new</td>
-<td>Return a new context initialized to a context string.</td>
-<td>context.h</td>
-</tr>
-<tr>
-<td>context_range_get</td>
-<td>Get a pointer to the range.</td>
-<td>context.h</td>
-</tr>
-<tr>
-<td>context_range_set</td>
-<td>Set the range component. Returns nonzero if unsuccessful.</td>
-<td>context.h</td>
-</tr>
-<tr>
-<td>context_role_get</td>
-<td>Get a pointer to the role.</td>
-<td>context.h</td>
-</tr>
-<tr>
-<td>context_role_set</td>
-<td>Set the role component. Returns nonzero if unsuccessful.</td>
-<td>context.h</td>
-</tr>
-<tr>
-<td>context_str</td>
-<td>Return a pointer to the string value of context_t. Valid until the next call to context_str or context_free for the same context_t*.</td>
-<td>context.h</td>
-</tr>
-<tr>
-<td>context_type_get</td>
-<td>Get a pointer to the type.</td>
-<td>context.h</td>
-</tr>
-<tr>
-<td>context_type_set</td>
-<td>Set the type component. Returns nonzero if unsuccessful.</td>
-<td>context.h</td>
-</tr>
-<tr>
-<td>context_user_get</td>
-<td>Get a pointer to the user.</td>
-<td>context.h</td>
-</tr>
-<tr>
-<td>context_user_set</td>
-<td>Set the user component. Returns nonzero if unsuccessful.</td>
-<td>context.h</td>
-</tr>
-<tr>
-<td><p>fgetfilecon</p>
-<p>fgetfilecon_raw</p></td>
-<td>Wrapper for the xattr API - Get file context, and set *con to refer to it. Caller must free via freecon.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>fini_selinuxmnt</td>
-<td>Clear <em>selinuxmnt</em> variable and free allocated memory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>freecon</td>
-<td>Free the memory allocated for a context by any of the get* calls.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>freeconary (deprecated)</td>
-<td>Free the memory allocated for a context array by <strong>security_compute_user</strong>(3).</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>fsetfilecon</p>
-<p>fsetfilecon_raw</p></td>
-<td>Wrapper for the xattr API - Set file context.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>get_default_context</td>
-<td>Get the default security context for a user session for 'user' spawned by 'fromcon' and set *newcon to refer to it. The context will be one of those authorized by the policy, but the selection of a default is subject to user customizable preferences. If 'fromcon' is NULL, defaults to current context. Returns 0 on success or -1 otherwise. Caller must free via freecon. </td>
-<td>get_context_list.h</td>
-</tr>
-<tr>
-<td>get_default_context_with_level</td>
-<td>Same as <strong>get_default_context</strong>(3), but use the provided MLS level rather than the default level for the user. </td>
-<td>get_context_list.h</td>
-</tr>
-<tr>
-<td>get_default_context_with_role</td>
-<td>Same as <strong>get_default_context</strong>(3), but only return a context that has the specified role.</td>
-<td>get_context_list.h</td>
-</tr>
-<tr>
-<td>get_default_context_with_rolelevel</td>
-<td>Same as <strong>get_default_context</strong>(3), but only return a context that has the specified role and level.</td>
-<td>get_context_list.h</td>
-</tr>
-<tr>
-<td>get_default_type</td>
-<td>Get the default type (domain) for 'role' and set 'type' to refer to it. Caller must free via <strong>free</strong>(3). Return 0 on success or -1 otherwise. </td>
-<td>get_default_type.h</td>
-</tr>
-<tr>
-<td>get_ordered_context_list</td>
-<td>Get an ordered list of authorized security contexts for a user session for 'user' spawned by 'fromcon' and set *conary to refer to the NULL-terminated array of contexts. Every entry in the list will be authorized by the policy, but the ordering is subject to user customizable preferences. Returns number of entries in *conary. If 'fromcon' is NULL, defaults to current context. Caller must free via <strong>freeconary</strong>(3).</td>
-<td>get_context_list.h</td>
-</tr>
-<tr>
-<td>get_ordered_context_list_with_level</td>
-<td>Same as <strong>get_ordered_context_list</strong>(3), but use the provided MLS level rather than the default level for the user.</td>
-<td>get_context_list.h</td>
-</tr>
-<tr>
-<td><p>getcon</p>
-<p>getcon_raw</p></td>
-<td>Get current context, and set *con to refer to it. Caller must free via <strong>freecon</strong>(3). </td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>getexeccon</p>
-<p>getexeccon_raw</p></td>
-<td>Get exec context, and set *con to refer to it. Sets *con to NULL if no exec context has been set, i.e. using default. If non-NULL, caller must free via <strong>freecon</strong>(3).</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>getfilecon</p>
-<p>getfilecon_raw</p></td>
-<td>Wrapper for the xattr API - Get file context, and set *con to refer to it. Caller must free via <strong>freecon</strong>(3).</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>getfscreatecon</p>
-<p>getfscreatecon_raw</p></td>
-<td>Get fscreate context, and set *con to refer to it. Sets *con to NULL if no fs create context has been set, i.e. using default.If non-NULL, caller must free via <strong>freecon</strong>(3).</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>getkeycreatecon</p>
-<p>getkeycreatecon_raw</p></td>
-<td>Get keycreate context, and set *con to refer to it. Sets *con to NULL if no key create context has been set, i.e. using default. If non-NULL, caller must free via <strong>freecon</strong>(3).</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>getpeercon</p>
-<p>getpeercon_raw</p></td>
-<td>Wrapper for the socket API - Get context of peer socket, and set *con to refer to it. Caller must free via <em><strong>freecon</strong>(3)</em>.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>getpidcon</p>
-<p>getpidcon_raw</p></td>
-<td>Get context of process identified by pid, and set *con to refer to it. Caller must free via <em><strong>freecon</strong>(3)</em>.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>getprevcon</p>
-<p>getprevcon_raw</p></td>
-<td>Get previous context (prior to last exec), and set *con to refer to it. Caller must free via <em><strong>freecon</strong></em>(3).</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>getseuser</td>
-<td>Get the SELinux username and level to use for a given Linux username and service. These values may then be passed into the get_ordered_context_list* and get_default_context* functions to obtain a context for the user. Returns 0 on success or -1 otherwise. Caller must free the returned strings via <strong>free</strong>(3).</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>getseuserbyname</td>
-<td>Get the SELinux username and level to use for a given Linux username. These values may then be passed into the get_ordered_context_list* and get_default_context* functions to obtain a context for the user. Returns 0 on success or -1 otherwise. Caller must free the returned strings via <strong>free</strong>(3).</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>getsockcreatecon</p>
-<p>getsockcreatecon_raw</p></td>
-<td>Get sockcreate context, and set *con to refer to it. Sets *con to NULL if no socket create context has been set, i.e. using default. If non-NULL, caller must free via <strong>freecon</strong>(3).</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>init_selinuxmnt</td>
-<td>There is a man page for this, however it is not a user accessible function (internal use only - although the <em>fini_selinuxmnt</em> is reachable).</td>
-<td>-</td>
-</tr>
-<tr>
-<td>is_context_customizable</td>
-<td>Returns whether a file context is customizable, and should not be relabeled.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>is_selinux_enabled</td>
-<td>Return 1 if running on a SELinux kernel, or 0 if not or -1 for error.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>is_selinux_mls_enabled</td>
-<td>Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>lgetfilecon</p>
-<p>lgetfilecon_raw</p></td>
-<td>Wrapper for the xattr API - Get file context, and set *con to refer to it. Caller must free via <strong>freecon</strong>(3).</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>lsetfilecon</p>
-<p>lsetfilecon_raw</p></td>
-<td>Wrapper for the xattr API- Set file context for symbolic link.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>manual_user_enter_context</td>
-<td>Allow the user to manually enter a context as a fallback if a list of authorized contexts could not be obtained. Caller must free via <strong>freecon</strong>(3). Returns 0 on success or -1 otherwise. </td>
-<td>get_context_list.h</td>
-</tr>
-<tr>
-<td>matchmediacon</td>
-<td>Match the specified media and against the media contexts configuration and set *con to refer to the resulting context. Caller must free con via freecon.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>matchpathcon (deprecated)</td>
-<td>Match the specified pathname and mode against the file context sconfiguration and set *con to refer to the resulting context.'mode' can be 0 to disable mode matching. Caller must free via freecon. If <strong>matchpathcon_init</strong>(3) has not already been called, then this function will call it upon its first invocation with a NULL path.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>matchpathcon_checkmatches (deprecated)</td>
-<td>Check to see whether any specifications had no matches and report them. The 'str' is used as a prefix for any warning messages.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>matchpathcon_filespec_add (deprecated)</td>
-<td>Maintain an association between an inode and a specification index, and check whether a conflicting specification is already associated with the same inode (e.g. due to multiple hard links). If so, then use the latter of the two specifications based on their order in the file contexts configuration. Return the used specification index. </td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>matchpathcon_filespec_destroy (deprecated)</td>
-<td>Destroy any inode associations that have been added, e.g. to restart for a new filesystem. </td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>matchpathcon_filespec_eval (deprecated)</td>
-<td>Display statistics on the hash table usage for the associations.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>matchpathcon_fini (deprecated)</td>
-<td>Free the memory allocated by matchpathcon_init.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>matchpathcon_index (deprecated)</td>
-<td>Same as <strong>matchpathcon</strong>(3), but return a specification index for later use in a <strong>matchpathcon_filespec_add</strong>(3) call.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>matchpathcon_init (deprecated)</td>
-<td>Load the file contexts configuration specified by 'path' into memory for use by subsequent matchpathcon calls. If 'path' is NULL, then load the active file contexts configuration, i.e. the path returned by <strong>selinux_file_context_path</strong>(3). Unless the MATCHPATHCON_BASEONLY flag has been set, this function also checks for a 'path'.homedirs file and a 'path'.local file and loads additional specifications from them if present.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>matchpathcon_init_prefix (deprecated)</td>
-<td>Same as <strong>matchpathcon_init</strong>(3), but only load entries with regexes that have stems that are prefixes of 'prefix'.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>mode_to_security_class</td>
-<td>Translate mode_t to a security class string name (e.g. <em>S_ISREG</em> = "<em>file</em>").</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>print_access_vector</td>
-<td>Display an access vector in a string representation.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>query_user_context</td>
-<td>Given a list of authorized security contexts for the user, query the user to select one and set *newcon to refer to it. Caller must free via <strong>freecon</strong>(3). Returns 0 on success or -1 otherwise. </td>
-<td>get_context_list.h</td>
-</tr>
-<tr>
-<td>realpath_not_final</td>
-<td>Resolve all of the symlinks and relative portions of a pathname, but NOT the final component (same a <em><strong>realpath</strong>(3)</em> unless the final component is a symlink. Resolved path must be a path of size <em>PATH_MAX + 1</em>.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>rpm_execcon (deprecated)</td>
-<td><strong>Use setexecfilecon and execve</strong> Execute a helper for rpm in an appropriate security context.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>security_av_perm_to_string</td>
-<td>Convert access vector permissions to string names.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>security_av_string</td>
-<td>Returns an access vector in a string representation. User must free the returned string via <strong>free</strong>(3).</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>security_canonicalize_context</p>
-<p>security_canonicalize_context_raw</p></td>
-<td>Canonicalize a security context. Returns a pointer to the canonical (primary) form of a security context in <em>canoncon</em> that the kernel is using rather than what is provided by the userspace application in <em>con</em>. </td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>security_check_context</p>
-<p>security_check_context_raw</p></td>
-<td>Check the validity of a security context.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>security_class_to_string</td>
-<td>Convert security class values to string names.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>security_commit_booleans</td>
-<td>Commit the pending values for the booleans.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>security_compute_av</p>
-<p>security_compute_av_raw</p></td>
-<td><p>Compute an access decision. </p>
-<p>Queries whether the policy permits the source context <em>scon</em> to access the target context <em>tcon</em> via class <em>tclass</em> with the <em>requested</em> access vector. The decision is returned in <em>avd</em>.</p></td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>security_compute_av_flags</p>
-<p>security_compute_av_flags_raw</p></td>
-<td><p>Compute an access decision and return the flags. </p>
-<p>Queries whether the policy permits the source context <em>scon</em> to access the target context <em>tcon</em> via class <em>tclass</em> with the <em>requested</em> access vector. The decision is returned in <em>avd</em>. that has an additional <em><strong>flags</strong></em> entry. Currently the only flag defined is SELINUX_AVD_FLAGS_PERMISSIVE that indicates the decision was computed on a permissive domain (i.e. the <em><strong>permissive</strong></em> policy language statement has been used in policy or <em><strong>semanage</strong>(8)</em> has been used to set the domain in permissive mode). Note this does not indicate that SELinux is running in permissive mode, only the <em>scon</em> domain.</p></td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>security_compute_create</p>
-<p>security_compute_create_raw</p></td>
-<td>Compute a labeling decision and set *newcon to refer to it. Caller must free via <strong>freecon</strong>(3).</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>security_compute_create_name</p>
-<p>security_compute_create_name_raw</p></td>
-<td><p>This is identical to<em> <strong>security_compute_create</strong>(3)</em> but also takes the name of the new object in creation as an argument.</p>
-<p>When a <em>type_transition</em> rule on the given class and the <em>scon</em> / <em>tcon</em> pair has an object name extension, <em>newcon</em> will be returned according to the policy. Note that this interface is only supported on the kernels 2.6.40 or later. For older kernels the object name is ignored.</p></td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>security_compute_member</p>
-<p>security_compute_member_raw</p></td>
-<td>Compute a polyinstantiation member decision and set *newcon to refer to it. Caller must free via <strong>freecon</strong>(3).</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>security_compute_relabel</p>
-<p>security_compute_relabel_raw</p></td>
-<td>Compute a relabeling decision and set *newcon to refer to it. Caller must free via <strong>freecon</strong>(3).</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>security_compute_user (deprecated)</p>
-<p>security_compute_user_raw (deprecated)</p></td>
-<td>Compute the set of reachable user contexts and set *con to refer to the NULL-terminated array of contexts. Caller must free via <strong>freeconary</strong>(3). </td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>security_deny_unknown</td>
-<td>Get the behavior for undefined classes / permissions.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>security_disable</td>
-<td>Disable SELinux at runtime (must be done prior to initial policy load).</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>security_get_boolean_active</td>
-<td>Get the active value for the boolean.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>security_get_boolean_names</td>
-<td>Get the boolean names</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>security_get_boolean_pending</td>
-<td>Get the pending value for the boolean.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>security_get_initial_context</p>
-<p>security_get_initial_context_raw</p></td>
-<td>Get the context of an initial kernel security identifier by name. Caller must free via <strong>freecon</strong>(3).</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>security_getenforce</td>
-<td>Get the enforce flag value.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>security_load_booleans (deprecated)</td>
-<td>Load policy boolean settings. Path may be NULL, in which case the booleans are loaded from the active policy boolean configuration file.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>security_load_policy</td>
-<td>Load a policy configuration.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>security_policyvers</td>
-<td>Get the policy version number.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>security_set_boolean</td>
-<td>Set the pending value for the boolean.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>security_set_boolean_list</td>
-<td>Save a list of booleans in a single transaction.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>security_setenforce</td>
-<td>Set the enforce flag value.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>security_validatetrans</p>
-<p>security_validatetrans_raw</p></td>
-<td>Validate a transition. This determines whether a transition from scon to newcon using tcon as the target for object class tclass is valid in the loaded policy. This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy. Returns 0 if allowed and -1 if an error occurred with errno set.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selabel_close</td>
-<td>Destroy the specified handle, closing files, freeing allocated memory, etc. The handle may not be further used after it has been closed.</td>
-<td>label.h</td>
-</tr>
-<tr>
-<td>selabel_cmp</td>
-<td><p>Compare two label configurations. Returns:</p>
-<p><em>SELABEL_SUBSET</em> if <em>h1</em> is a subset of <em>h2</em></p>
-<p><em>SELABEL_EQUAL</em> if <em>h1</em> is identical to <em>h2</em></p>
-<p><em>SELABEL_SUPERSET</em> if <em>h1</em> is a superset of <em>h2</em></p>
-<p><em>SELABEL_INCOMPARABLE</em> if <em>h1</em> and <em>h2</em> are incomparable</p></td>
-<td>label.h</td>
-</tr>
-<tr>
-<td>selabel_digest</td>
-<td>Retrieve the SHA1 digest and the list of specfiles used to generate the digest. The <em>SELABEL_OPT_DIGEST</em> option must be set in <em><strong>selabel_open</strong>(3)</em> to initiate the digest generation.</td>
-<td>label.h</td>
-</tr>
-<tr>
-<td>selabel_get_digests_all_partial_matches</td>
-<td>Returns true if the digest of all partial matched contexts is the same as the one saved by setxattr, otherwise returns false. The length of the SHA1 digest will always be returned. The caller must free any returned digests.</td>
-<td>label.h</td>
-</tr>
-<tr>
-<td>selabel_hash_all_partial_matches</td>
-<td>Returns true if the digest of all partial matched contexts is the same as the one saved by setxattr, otherwise returns false.</td>
-<td>label.h</td>
-</tr>
-
-<tr>
-<td><p>selabel_lookup</p>
-<p>selabel_lookup_raw</p></td>
-<td>Perform a labeling lookup operation. Return 0 on success, -1 with errno set on failure. The <em>key</em> and <em>type</em> arguments are the inputs to the lookup operation; appropriate values are dictated by the backend in use. The result is returned in the memory pointed to by con and must be freed by freecon.</td>
-<td>label.h</td>
-</tr>
-<tr>
-<td><p>selabel_lookup_best_match</p>
-<p>selabel_lookup_best_match_raw</p></td>
-<td><p>Obtain a best match SELinux security context - Only supported on file backend. The order of precedence for best match is:</p>
-<p>1. An exact match for the real path (key) or</p>
-<p>2. An exact match for any of the links (aliases), or</p>
-<p>3. The longest fixed prefix match.</p></td>
-<td>label.h</td>
-</tr>
-<tr>
-<td>selabel_open</td>
-<td><p>Create a labeling handle.</p>
-<p>Open a labeling backend for use. The available backend identifiers are:</p>
-<p>SELABEL_CTX_FILE - file_contexts.</p>
-<p>SELABEL_CTX_MEDIA - media contexts.</p>
-<p>SELABEL_CTX_X - x_contexts.</p>
-<p><em>SELABEL_CTX_DB</em> - SE-PostgreSQL contexts.</p>
-<p>SELABEL_CTX_ANDROID_PROP – <em>property</em>_contexts.</p>
-<p>S<em>ELABEL_CTX_ANDROID_SERVICE</em> – <em>service_contexts</em>.</p>
-<p> Options may be provided via the opts parameter; available options are:</p>
-<p>SELABEL_OPT_UNUSED - no-op option, useful for unused slots in an array of options.</p>
-<p>SELABEL_OPT_VALIDATE - validate contexts before returning them (boolean value).</p>
-<p>SELABEL_OPT_BASEONLY - don't use local customizations to backend data (boolean value).</p>
-<p>SELABEL_OPT_PATH - specify an alternate path to use when loading backend data.</p>
-<p>SELABEL_OPT_SUBSET - select a subset of the search space as an optimization (file backend).</p>
-<p><em>SELABEL_OPT_DIGEST</em> – request an SHA1 digest of the specfiles.</p>
-<p>Not all options may be supported by every backend. Return value is the created handle on success or NULL with errno set on failure.</p></td>
-<td>label.h</td>
-</tr>
-<tr>
-<td>selabel_partial_match</td>
-<td>label.h</td>
-</tr>
-<tr>
-<td>selabel_stats</td>
-<td>Log a message with information about the number of queries performed, number of unused matching entries, or other operational statistics. Message is backend-specific, some backends may not output a message.</td>
-<td>label.h</td>
-</tr>
-<tr>
-<td>selinux_binary_policy_path</td>
-<td>Return path to the binary policy file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_booleans_path (deprecated)</td>
-<td>Return path to the booleans file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_boolean_sub</td>
-<td>Reads the <em>/etc/selinux/TYPE/booleans.subs_dist</em> file looking for a record with <em>boolean_name</em>. If a record exists <em><strong>selinux_boolean_sub</strong>(3)</em> returns the translated name otherwise it returns the original name. The returned value needs to be freed. On failure NULL will be returned.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_booleans_subs_path</td>
-<td>Returns the path to the <em>booleans.subs_dist</em> configuration file.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_check_access</td>
-<td><p>Used to check if the source context has the access permission for the specified class on the target context. Note that the permission and class are reference strings.</p>
-<p>The <em>aux</em> parameter may reference supplemental auditing information. </p>
-<p>Auditing is handled as described in <em><strong>avc_audit</strong>(3)</em>.</p>
-<p>See <em><strong>security_deny_unknown</strong>(3)</em> for how the <em>deny_unknown</em> flag can influence policy decisions.</p></td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_check_passwd_access (deprecated)</td>
-<td><p><strong>Use selinux_check_access<strong> Check a permission in the passwd class. Return 0 if granted or -1 otherwise.</p>
-<p>Replaced by <em><strong>selinux_check_access</strong>(3)</em></p></td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_check_securetty_context </td>
-<td>Check if the tty_context is defined as a securetty. Return 0 if secure, &lt; 0 otherwise.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_colors_path</td>
-<td>Return path to file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_contexts_path</td>
-<td>Return path to contexts directory under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_current_policy_path</td>
-<td>Return path to the current policy.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_customizable_types_path</td>
-<td>Return path to customizable_types file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_default_context_path</td>
-<td>Return path to default_context file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_default_type_path</td>
-<td>Return path to <em>default_type</em> file.</td>
-<td>get_default_type.h</td>
-</tr>
-<tr>
-<td>selinux_failsafe_context_path</td>
-<td>Return path to failsafe_context file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_file_context_cmp</td>
-<td>Compare two file contexts, return 0 if equivalent.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_file_context_homedir_path</td>
-<td>Return path to <em>file_context.homedir</em> file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_file_context_local_path</td>
-<td>Return path to <em>file_context.local</em> file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_file_context_path</td>
-<td>Return path to <em>file_context</em> file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_file_context_subs_path</td>
-<td>Return path to <em>file_context.subs</em> file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_file_context_subs_dist_path</td>
-<td>Return path to <em>file_context.subs_dist</em> file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_file_context_verify</td>
-<td>Verify the context of the file 'path' against policy. Return 0 if correct.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_get_callback</td>
-<td>Used to get a pointer to the callback function of the given <em>type</em>. Callback functions are set using <em><strong>selinux_set_callback</strong>(3)</em>.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_getenforcemode</td>
-<td>Reads the /etc/selinux/config file and determines whether the machine should be started in enforcing (1), permissive (0) or disabled (-1) mode. </td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_getpolicytype</td>
-<td>Reads the /<em>etc/selinux/config</em> file and determines what the default policy for the machine is. Calling application must free <em>policytype</em>.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_homedir_context_path</td>
-<td>Return path to file under the policy root directory. Note that this file will only appear in older versions of policy at this location. On systems that are managed using <em><strong>semanage</strong>(8)</em> this is now in the policy store.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_init_load_policy</td>
-<td><p>Perform the initial policy load.</p>
-<p>This function determines the desired enforcing mode, sets the the *enforce argument accordingly for the caller to use, sets the SELinux kernel enforcing status to match it, and loads the policy. It also internally handles the initial selinuxfs mount required to perform these actions.</p>
-<p>The function returns 0 if everything including the policy load succeeds. In this case, init is expected to re-exec itself in order to transition to the proper security context. Otherwise, the function returns -1, and init must check *enforce to determine how to proceed. If enforcing (*enforce &gt; 0), then init should halt the system. Otherwise, init may proceed normally without a re-exec.</p></td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_lsetfilecon_default</td>
-<td>This function sets the file context to the system defaults. Returns 0 on success.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_lxc_contexts_path</td>
-<td>Return the path to the <em>lxc_contexts</em> configuration file.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_media_context_path</td>
-<td>Return path to file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_mkload_policy</td>
-<td><p>Make a policy image and load it. </p>
-<p>This function provides a higher level interface for loading policy than <strong>security_load_policy</strong>(3), internally determining the right policy version, locating and opening the policy file, mapping it into memory, manipulating it as needed for current boolean settings and/or local definitions, and then calling <strong>security_load_policy</strong>(3) to load it.</p>
-<p>'preservebools' is a boolean flag indicating whether current policy boolean values should be preserved into the new policy (if 1) or reset to the saved policy settings (if 0). The former case is the default for policy reloads, while the latter case is an option for policy reloads but is primarily for the initial policy load.</p></td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_netfilter_context_path</td>
-<td>Returns path to the netfilter_context file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_path</td>
-<td>Returns path to the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_policy_root</td>
-<td>Reads the /etc/selinux/config file and returns the top level directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_raw_context_to_color</td>
-<td>Perform context translation between security contexts and display colors. Returns a space-separated list of ten ten hex RGB triples prefixed by hash marks, e.g. "#ff0000". Caller must free the resulting string via <strong>free</strong>(3). Returns -1 upon an error or 0 otherwise.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_raw_to_trans_context</td>
-<td>Perform context translation between the human-readable format ("translated") and the internal system format ("raw"). Caller must free the resulting context via <strong>freecon</strong>(3). Returns -1 upon an error or 0 otherwise. If passed NULL, sets the returned context to NULL and returns 0.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_removable_context_path</td>
-<td>Return path to <em>removable_context</em> file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_restorecon</td>
-<td><p>Relabel files that automatically calls <em><strong>selinux_restorecon_default_handle</strong>(3)</em> and <em><strong>selinux_restorecon_set_sehandle</strong>(3)</em> first time through to set the <em><strong>selabel_open</strong>(3)</em> parameters to use the currently loaded policy <em>file_contexts</em> and request their computed digest.</p>
-<p>Should other <em><strong>selabel_open</strong>(3)</em> parameters be required see <em><strong>selinux_restorecon_set_sehandle</strong>(3)</em>.</p></td>
-<td>restorecon.h</td>
-</tr>
-<tr>
-<td>selinux_restorecon_xattr</td>
-<td><p>Read/remove <em>RESTORECON_LAST</em> xattr entries that automatically calls <em><strong>selinux_restorecon_default_handle</strong>(3)</em> and <em><strong>selinux_restorecon_set_sehandle</strong>(3)</em> first time through to set the <em><strong>selabel_open</strong>(3)</em> parameters to use the currently loaded policy <em>file_contexts</em> and request their computed digest.</p>
-<p>Should other <em><strong>selabel_open</strong>(3)</em> parameters be required see <em><strong>selinux_restorecon_set_sehandle</strong>(3)</em>, however note that a <em>file_contexts</em> computed digest is required for <em><strong>selinux_restorecon_xattr</strong>(3)</em>.</p></td>
-<td>restorecon.h</td>
-</tr>
-<tr>
-<td>selinux_restorecon_default_handle</td>
-<td>Sets default <em><strong>selabel_open</strong>(3)</em> parameters to use the currently loaded policy and <em>file_contexts</em>, also requests the digest.</td>
-<td>restorecon.h</td>
-</tr>
-<tr>
-<td>selinux_restorecon_set_alt_rootpath</td>
-<td>Use alternate rootpath.</td>
-<td>restorecon.h</td>
-</tr>
-<tr>
-<td>selinux_restorecon_set_exclude_list</td>
-<td>Add a list of directories that are to be excluded from relabeling.</td>
-<td>restorecon.h</td>
-</tr>
-<tr>
-<td>selinux_restorecon_set_sehandle</td>
-<td>Set the global fc handle. Called by a process that has already called <em><strong>selabel_open</strong>(3)</em> with its required parameters, or if <em><strong>selinux_restorecon_default_handle</strong>(3)</em> has been called to set the default <em><strong>selabel_open</strong>(3)</em> parameters.</td>
-<td>restorecon.h</td>
-</tr>
-<tr>
-<td>selinux_securetty_types_path</td>
-<td>Return path to the securetty_types file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_sepgsql_context_path</td>
-<td>Return path to <em>sepgsql_context</em> file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_set_callback</td>
-<td>Sets the callback according to the type: <em>SELINUX_CB_LOG</em>, <em>SELINUX_CB_AUDIT</em>, <em>SELINUX_CB_VALIDATE</em>, <em>SELINUX_CB_SETENFORCE</em>, <em>SELINUX_CB_POLICYLOAD</em></td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_set_mapping</td>
-<td>Userspace class mapping support that establishes a mapping from a user-provided ordering of object classes and permissions to the numbers actually used by the loaded system policy.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_set_policy_root</td>
-<td>Sets an alternate policy root directory path under which the compiled policy file and context configuration files exist.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_status_open</td>
-<td>Open and map SELinux kernel status page.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>selinux_status_close</td>
-<td>Unmap and close kernel status page.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>selinux_status_updated</td>
-<td>Inform whether the kernel status has been updated.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>selinux_status_getenforce</td>
-<td>Get the enforce flag value.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>selinux_status_policyload</td>
-<td>Get the number of policy loads.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>selinux_status_deny_unknown</td>
-<td>Get behaviour for undefined classes/permissions.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>selinux_systemd_contexts_path</td>
-<td>Returns the path to the <em>systemd_contexts</em> configuration file.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_reset_config</td>
-<td>Force a reset of the loaded configuration. <strong>WARNING</strong>: This is not thread safe. Be very sure that no other threads are calling into <em>libselinux</em> when this is called.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_trans_to_raw_context</td>
-<td>Perform context translation between the human-readable format ("translated") and the internal system format ("raw"). Caller must free the resulting context via <strong>freecon</strong>(3). Returns -1 upon an error or 0 otherwise. If passed NULL, sets the returned context to NULL and returns 0.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_translations_path</td>
-<td>Return path to setrans.conf file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_user_contexts_path</td>
-<td>Return path to file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_users_path (deprecated)</td>
-<td>Return path to file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_usersconf_path</td>
-<td>Return path to file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_virtual_domain_context_path</td>
-<td>Return path to file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_virtual_image_context_path</td>
-<td>Return path to file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinux_x_context_path</td>
-<td>Return path to x_context file under the policy root directory.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>selinuxfs_exists</td>
-<td>Check if selinuxfs exists as a kernel filesystem.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>set_matchpathcon_canoncon (deprecated)</td>
-<td>Same as <strong>set_matchpathcon_invalidcon</strong>(3), but also allows canonicalization of the context, by changing *context to refer to the canonical form. If not set, and invalidcon is also not set, then this defaults to calling <strong>security_canonicalize_context</strong>(3).</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>set_matchpathcon_flags (deprecated)</td>
-<td><p>Set flags controlling operation of <strong>matchpathcon_init</strong>(3) or <strong>matchpathcon</strong>(3): </p>
-<p>MATCHPATHCON_BASEONLY - Only process the base file_contexts file. </p>
-<p>MATCHPATHCON_NOTRANS - Do not perform any context translation.</p>
-<p>MATCHPATHCON_VALIDATE - Validate/canonicalize contexts at init time.</p></td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>set_matchpathcon_invalidcon (deprecated)</td>
-<td>Set the function used by <strong>matchpathcon_init</strong>(3) when checking the validity of a context in the file_contexts configuration. If not set, then this defaults to a test based on <strong>security_check_context</strong>(3). The function is also responsible for reporting any such error, and may include the 'path' and 'lineno' in such error messages.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>set_matchpathcon_printf (deprecated)</td>
-<td>Set the function used by <strong>matchpathcon_init</strong>(3) when displaying errors about the file_contexts configuration. If not set, then this defaults to fprintf(stderr, fmt, ...).</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>set_selinuxmnt </td>
-<td>Set the path to the selinuxfs mount point explicitly. Normally, this is determined automatically during libselinux initialization, but this is not always possible, e.g. for /sbin/init which performs the initial mount of selinuxfs.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>setcon</p>
-<p>setcon_raw</p></td>
-<td><p>Set the current security context to con.</p>
-<p>Note that use of this function requires that the entire application be trusted to maintain any desired separation between the old and new security contexts, unlike exec-based transitions performed via <strong>setexeccon</strong>(3). When possible, decompose your application and use <strong>setexeccon</strong>(3)+<strong>execve</strong>(3) instead. Note that the application may lose access to its open descriptors as a result of a <strong>setcon</strong>(3) unless policy allows it to use descriptors opened by the old context. </p></td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>setexeccon</p>
-<p>setexeccon_raw</p></td>
-<td>Set exec security context for the next <strong>execve</strong>(3). Call with NULL if you want to reset to the default.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>setexecfilecon</td>
-<td>Set an appropriate security context based on the filename of a helper program, falling back to a new context with the specified type.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>setfilecon</p>
-<p>setfilecon_raw</p></td>
-<td>Wrapper for the xattr API - Set file context.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>setfscreatecon</p>
-<p>setfscreatecon_raw</p></td>
-<td>Set the fscreate security context for subsequent file creations. Call with NULL if you want to reset to the default.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>setkeycreatecon</p>
-<p>setkeycreatecon_raw</p></td>
-<td>Set the keycreate security context for subsequent key creations. Call with NULL if you want to reset to the default.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td><p>setsockcreatecon</p>
-<p>setsockcreatecon_raw</p></td>
-<td>Set the sockcreate security context for subsequent socket creations. Call with NULL if you want to reset to the default.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>sidget (deprecated)</td>
-<td>From 2.0.86 this is a no-op.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>sidput (deprecated)</td>
-<td>From 2.0.86 this is a no-op.</td>
-<td>avc.h</td>
-</tr>
-<tr>
-<td>string_to_av_perm</td>
-<td>Convert string names to access vector permissions.</td>
-<td>selinux.h</td>
-</tr>
-<tr>
-<td>string_to_security_class</td>
-<td>Convert string names to security class values.</td>
-<td>selinux.h</td>
-</tr>
-</tbody>
-</table>
+Some useful notes:
+
+1. Use ***free**(3)* instead of ***freecon**(3)* for context strings as they
+   are now defined as *char\**. Note this does not apply to ***context_free**(3)*.
+2. There must be more ???
+
+*avc_add_callback* - *avc.h*
+
+Register a callback for security events.
+
+*avc_audit* - *avc.h*
+
+Audit the granting or denial of permissions in accordance with the policy.
+This function is typically called by ***avc_has_perm**(3)* after a permission
+check, but can also be called directly by callers who use
+***avc_has_perm_noaudit**(3)* in order to separate the permission check from
+the auditing. For example, this separation is useful when the permission
+check must be performed under a lock, to allow the lock to be released before
+calling the auditing code.
+
+*avc_av_stats* - *avc.h*
+
+Log AV table statistics. Logs a message with information about the size and
+distribution of the access vector table. The audit callback is used to print
+the message.
+
+*avc_cache_stats* - *avc.h*
+
+Get cache access statistics. Fill the supplied structure with information
+about AVC activity since the last call to ***avc_init**(3)*
+or ***avc_reset**(3)*.
+
+*avc_cleanup* - *avc.h*
+
+Remove unused SIDs and AVC entries. Search the SID table for SID structures
+with zero reference counts, and remove them along with all AVC entries that
+reference them. This can be used to return memory to the system.
+
+*avc_compute_create* - *avc.h*
+
+Compute SID for labeling a new object. Call the security server to obtain
+a context for labeling a new object. Look up the context in the SID table,
+making a new entry if not found.
+
+*avc_compute_member* - *avc.h*
+
+Compute SID for polyinstantation. Call the security server to obtain a
+context for labeling an object instance. Look up the context in the SID table,
+making a new entry if not found.
+
+*avc_context_to_sid*, *avc_context_to_sid_raw* - *avc.h*
+
+Get SID for context. Look up security context *ctx* in SID table, making a new
+entry if *ctx* is not found. Store a pointer to the SID structure into the
+memory referenced by *sid*, returning 0 on success or -1 on error with
+*errno* set.
+
+*avc_destroy* - *avc.h*
+
+Free all AVC structures. Destroy all AVC structures and free all allocated
+memory. User-supplied locking, memory, and audit callbacks will be retained,
+but security-event callbacks will not. All SID's will be invalidated.
+User must call ***avc_init**(3)* if further use of AVC is desired.
+
+*avc_entry_ref_init* - *avc.h*
+
+Initialize an AVC entry reference. Use this macro to initialize an *avc* entry
+reference structure before first use. These structures are passed to
+***avc_has_perm**(3)*, which stores cache entry references in them.
+They can increase performance on repeated queries.
+
+*avc_get_initial_sid* - *avc.h*
+
+Get SID for an initial kernel security identifier. Get the context for an
+initial kernel security identifier specified by name using
+***security_get_initial_context**(3)* and then call
+***avc_context_to_sid**(3)* to get the corresponding SID.
+
+*avc_has_perm* - *avc.h*
+
+Check permissions and perform any appropriate auditing. Check the AVC to
+determine whether the requested permissions are granted for the SID pair
+(*ssid*, *tsid*), interpreting the permissions based on tclass, and call the
+security server on a cache miss to obtain a new decision and add it to the
+cache. Update *aeref* to refer to an AVC entry with the resulting decisions.
+Audit the granting or denial of permissions in accordance with the policy.
+Return 0 if all requested permissions are granted, -1 with errno set to EACCES
+if any permissions are denied or to another value upon other errors.
+
+*avc_has_perm_noaudit* - *avc.h*
+
+Check permissions but perform no auditing. Check the AVC to determine whether
+the requested permissions are granted for the SID pair (*ssid*, *tsid*),
+interpreting the permissions based on tclass, and call the security server
+on a cache miss to obtain a new decision and add it to the cache. Update aeref
+to refer to an AVC entry with the resulting decisions, and return a copy of
+the decisions in *avd*. Return 0 if all requested permissions are granted, -1
+with errno set to EACCES if any permissions are denied, or to another value
+upon other errors. This function is typically called by ***avc_has_perm**(3)*,
+but may also be called directly to separate permission checking from auditing,
+e.g. in cases where a lock must be held for the check but should be released
+for the auditing.
+
+*avc_init* (deprecated)
+
+Use *avc_open*. Initialize the AVC. Initialize the access vector cache.
+Return 0 on success or -1 with errno set on failure. If *msgprefix* is NULL,
+use *uavc*. If any callback structure references are NULL, use default methods
+for those callbacks (see the definition of the callback structures).
+
+*avc_netlink_acquire_fd* - *avc.h*
+
+Create a netlink socket and connect to the kernel.
+
+*avc_netlink_check_nb* - *avc.h*
+
+Wait for netlink messages from the kernel.
+
+*avc_netlink_close* - *avc.h*
+
+Close the netlink socket.
+
+*avc_netlink_loop* - *avc.h*
+
+Acquire netlink socket fd. Allows the application to manage messages from
+the netlink socket in its own main loop.
+
+*avc_netlink_open* - *avc.h*
+
+Release netlink socket fd. Returns ownership of the netlink socket to the
+ibrary.
+
+*avc_netlink_release_fd* - *avc.h*
+
+Check netlink socket for new messages. Called by the application when using
+***avc_netlink_acquire_fd**(3)* to process kernel netlink events.
+
+*avc_open* - *avc.h*
+
+Initialize the AVC. This function is identical to ***avc_init**(3)* except the
+message prefix is set to *avc* and any callbacks desired should be specified
+via ***selinux_set_callback**(3)*.
+
+*avc_reset* - *avc.h*
+
+Flush the cache and reset statistics. Remove all entries from the cache and
+reset all access statistics (as returned by ***avc_cache_stats**(3)*) to zero.
+The SID mapping is not affected. Return 0 on success, -1 with errno set on error.
+
+*avc_sid_stats* - *avc.h*
+
+Log SID table statistics. Log a message with information about the size and
+distribution of the SID table. The audit callback is used to print the message.
+
+avc_sid_to_context*, *avc_sid_to_context_raw* - *avc.h*
+
+Get copy of context corresponding to SID. Return a copy of the security context
+corresponding to the input sid in the memory referenced by *ctx*. The caller is
+expected to free the context with ***freecon**(3)*. Return 0 on success, -1
+on failure, with errno set to ENOMEM if insufficient memory was available to
+make the copy, or EINVAL if the input SID is invalid.
+
+*checkPasswdAccess* (deprecated) - *selinux.h*
+
+Use ***selinux_check_passwd_access**(3)* or preferably
+***selinux_check_access**(3)*. Check a permission in the passwd class.
+Return 0 if granted or -1 otherwise.
+
+*context_free* - *context.h*
+
+Free the storage used by a context structure.
+
+*context_new* - *context.h*
+
+Return a new context initialized to a context string.
+
+*context_range_get* - *context.h*
+
+Get a pointer to the range.
+
+*context_range_set* - *context.h*
+
+Set the range component. Returns nonzero if unsuccessful.
+
+*context_role_get* - *context.h*
+
+Get a pointer to the role.
+
+*context_role_set* - *context.h*
+
+Set the role component. Returns nonzero if unsuccessful.
+
+*context_str* - *context.h*
+
+Return a pointer to the string value of *context_t*. Valid until the next call
+to ***context_str**(3)* or ***context_free**(3)* for the same *context_t*.
+
+*context_type_get* - *context.h*
+
+Get a pointer to the type.
+
+*context_type_set* - *context.h*
+
+Set the type component. Returns nonzero if unsuccessful.
+
+*context_user_get* - *context.h*
+
+Get a pointer to the user.
+
+*context_user_set* - *context.h*
+
+Set the user component. Returns nonzero if unsuccessful.
+
+*fgetfilecon*, *fgetfilecon_raw* - *selinux.h*
+
+Wrapper for the ***xattr**(7)* API - Get file context, and set *\*con* to
+refer to it. Caller must free via ***freecon**(3)*.
+
+*fini_selinuxmnt* - *selinux.h*
+
+Clear *selinuxmnt* variable and free allocated memory.
+
+*freecon* - *selinux.h*
+
+Free the memory allocated for a context by any of the *get\** calls.
+
+*freeconary* - *selinux.h*
+
+Free the memory allocated for a context array by
+***get_ordered_context_list**(3)*.
+
+*fsetfilecon*, *fsetfilecon_raw* - *selinux.h*
+
+Wrapper for the ***xattr**(7)* API - Set file context.
+
+*get_default_context* - *get_context_list.h*
+
+Get the default security context for a user session for *user* spawned by
+*fromcon* and set *\*newcon* to refer to it. The context will be one of those
+authorized by the policy, but the selection of a default is subject to user
+customizable preferences. If *fromcon* is NULL, defaults to current context.
+Returns 0 on success or -1 otherwise. Caller must free via ***freecon**(3)*.
+
+*get_default_context_with_level* - *get_context_list.h*
+
+Same as ***get_default_context**(3)*, but use the provided MLS level rather
+than the default level for the user.
+
+*get_default_context_with_role* - *get_context_list.h*
+
+Same as ***get_default_context**(3)*, but only return a context that
+has the specified role.
+
+*get_default_context_with_rolelevel* - *get_context_list.h*
+
+Same as ***get_default_context**(3)*, but only return a context that has
+the specified role and level.
+
+*get_default_type* - *get_default_type.h*
+
+Get the default type (domain) for *role* and set *type* to refer to it.
+Caller must free via ***free**(3)*.
+Return 0 on success or -1 otherwise.
+
+*get_ordered_context_list* - *get_context_list.h*
+
+Get an ordered list of authorized security contexts for a user session for
+*user* spawned by *fromcon* and set *\*conary* to refer to the NULL-terminated
+array of contexts. Every entry in the list will be authorized by the policy,
+but the ordering is subject to user customizable preferences.
+Returns number of entries in *\*conary*. If *fromcon* is NULL, defaults
+to current context. Caller must free via ***freeconary**(3)*.
+
+*get_ordered_context_list_with_level* - *get_context_list.h*
+
+Same as ***get_ordered_context_list**(3)*, but use the provided MLS level
+rather than the default level for the user.
+
+*getcon*, *getcon_raw* - *selinux.h*
+
+Get current context, and set *\*con* to refer to it. Caller must free via
+***freecon**(3)*.
+
+*getexeccon*, *getexeccon_raw* - *selinux.h*
+
+Get exec context, and set *\*con* to refer to it. Sets *\*con* to NULL if no
+exec context has been set, i.e. using default. If non-NULL, caller must
+free via ***freecon**(3)*.
+
+*getfilecon*, *getfilecon_raw* - *selinux.h*
+
+Wrapper for the ***xattr**(7)* API - Get file context, and set *\*con* to refer
+to it. Caller must free via ***freecon**(3)*.
+
+*getfscreatecon*, *getfscreatecon_raw* - *selinux.h*
+
+Get fscreate context, and set *\*con* to refer to it. Sets *\*con* to NULL if
+no fs create context has been set, i.e. using default.If non-NULL, caller must
+free via ***freecon**(3)*.
+
+*getkeycreatecon* *getkeycreatecon_raw* - *selinux.h*
+
+Get keycreate context, and set *\*con* to refer to it. Sets *\*con* to NULL
+if no key create context has been set, i.e. using default. If non-NULL, caller
+must free via ***freecon**(3)*.
+
+*getpeercon*, *getpeercon_raw* - *selinux.h*
+
+Wrapper for the socket API - Get context of peer socket, and set *\*con* to
+refer to it. Caller must free via ***freecon**(3)*.
+
+*getpidcon*, *getpidcon_raw* - *selinux.h*
+
+Get context of process identified by pid, and set *\*con* to refer to it.
+Caller must free via ***freecon**(3)*.
+
+*getprevcon*, *getprevcon_raw* - *selinux.h*
+
+Get previous context (prior to last exec), and set *\*con* to refer to it.
+Caller must free via ***freecon**(3)*.
+
+*getseuser* - *selinux.h*
+
+Get the SELinux username and level to use for a given Linux username and
+service. These values may then be passed into the
+***get_ordered_context_list**(3)* and ***get_default_context**(3)* functions
+to obtain a context for the user.
+Returns 0 on success or -1 otherwise.
+Caller must free the returned strings via ***free**(3)*.
+
+*getseuserbyname* - *selinux.h*
+
+Get the SELinux username and level to use for a given Linux username.
+These values may then be passed into the ***get_ordered_context_list**(3)*
+and ***get_default_context**(3)* functions to obtain a context for the user.
+Returns 0 on success or -1 otherwise.
+Caller must free the returned strings via ***free**(3)*.
+
+*getsockcreatecon*, *getsockcreatecon_raw* - *selinux.h*
+
+Get sockcreate context, and set *\*con* to refer to it. Sets *\*con* to NULL
+if no socket create context has been set, i.e. using default.
+If non-NULL, caller must free via ***freecon**(3)*.
+
+*init_selinuxmnt* - *selinux.h*
+
+There is a man page for this, however it is not a user accessible function
+(internal use only - although the ***fini_selinuxmnt**(3)* is reachable).
+
+*is_context_customizable* - *selinux.h*
+
+Returns whether a file context is customizable, and should not be relabeled.
+
+*is_selinux_enabled* - *selinux.h*
+
+Return 1 if running on a SELinux kernel, or 0 if not or -1 for error.
+
+*is_selinux_mls_enabled* - *selinux.h*
+
+Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise.
+
+*lgetfilecon*, *lgetfilecon_raw* - *selinux.h*
+
+Wrapper for the ***xattr**(7)* API - Get file context, and set *\*con* to
+refer to it. Caller must free via ***freecon**(3)*.
+
+*lsetfilecon*, *lsetfilecon_raw* - *selinux.h*
+
+Wrapper for the xattr API- Set file context for symbolic link.
+
+*manual_user_enter_context* - *get_context_list.h*
+
+Allow the user to manually enter a context as a fallback if a list of
+authorized contexts could not be obtained. Caller must free via
+***freecon**(3)*. Returns 0 on success or -1 otherwise.
+
+*matchmediacon* - *selinux.h*
+
+Match the specified media and against the media contexts configuration and
+set *\*con* to refer to the resulting context.
+Caller must free con via ***freecon**(3)*.
+
+*matchpathcon* (deprecated) - *selinux.h*
+
+Match the specified *pathname* and *mode* against the file context configuration
+and set *\*con* to refer to the resulting context. *mode* can be 0 to disable
+mode matching. Caller must free via freecon. If ***matchpathcon_init**(3)*
+has not already been called, then this function will call it upon its first
+invocation with a NULL path.
+
+*matchpathcon_checkmatches* (deprecated) - *selinux.h*
+
+Check to see whether any specifications had no matches and report them.
+The *str* is used as a prefix for any warning messages.
+
+*matchpathcon_filespec_add* (deprecated) - *selinux.h*
+
+Maintain an association between an inode and a specification index, and check
+whether a conflicting specification is already associated with the same inode
+(e.g. due to multiple hard links). If so, then use the latter of the two
+specifications based on their order in the file contexts configuration.
+Return the used specification index.
+
+*matchpathcon_filespec_destroy* (deprecated) - *selinux.h*
+
+Destroy any inode associations that have been added, e.g. to restart for a
+new filesystem.
+
+*matchpathcon_filespec_eval* (deprecated) - *selinux.h*
+
+Display statistics on the hash table usage for the associations.
+
+*matchpathcon_fini* (deprecated) - *selinux.h*
+
+Free the memory allocated by ***matchpathcon_init**(3)*.
+
+*matchpathcon_index* (deprecated) - *selinux.h*
+
+Same as ***matchpathcon**(3)*, but return a specification index for later use
+in a ***matchpathcon_filespec_add**(3)* call.
+
+
+*matchpathcon_init* (deprecated) - *selinux.h*
+
+Load the file contexts configuration specified by *path* into memory for use
+by subsequent *matchpathcon* calls. If *path* is NULL, then load the active file
+contexts configuration, i.e. the path returned by
+***selinux_file_context_path**(3)*. Unless the *MATCHPATHCON_BASEONLY* flag
+has been set, this function also checks for a *path.homedirs* file and a
+*path.local* file and loads additional specifications from them if present.
+
+*matchpathcon_init_prefix* (deprecated) - *selinux.h*
+
+Same as ***matchpathcon_init**(3)*, but only load entries with regexes that
+have stems that are prefixes of *prefix*.
+
+*mode_to_security_class* - *selinux.h*
+
+Translate mode_t to a security class string name (e.g. *S_ISREG* = *file*).
+
+*print_access_vector* - *selinux.h*
+
+Display an access vector in a string representation.
+
+*query_user_context*- *get_context_list.h*
+
+Given a list of authorized security contexts for the user, query the user to
+select one and set *\*newcon* to refer to it. Caller must free via
+***freecon**(3)*. Returns 0 on success or -1 otherwise.
+
+*realpath_not_final* - *selinux.h*
+
+Resolve all of the symlinks and relative portions of a *pathname*, but NOT the
+final component (same a ***realpath**(3)* unless the final component is a symlink.
+Resolved path must be a path of size *PATH_MAX + 1*.
+
+*rpm_execcon* (deprecated) - *selinux.h*
+
+Use ***setexecfilecon**(3)* and ***execve**(2)*. Execute a helper for rpm in
+an appropriate security context.
+
+*security_av_perm_to_string* - *selinux.h*
+
+Convert access vector permissions to string names.
+
+*security_av_string* - *selinux.h*
+
+Returns an access vector in a string representation. User must free the
+returned string via ***free**(3)*.
+
+*security_canonicalize_context*, *security_canonicalize_context_raw* - *selinux.h*
+
+Canonicalize a security context. Returns a pointer to the canonical (primary)
+form of a security context in *canoncon* that the kernel is using rather than
+what is provided by the userspace application in *con*.
+
+*security_check_context*, *security_check_context_raw* - *selinux.h*
+
+Check the validity of a security context.
+
+*security_class_to_string* - *selinux.h*
+
+Convert security class values to string names.
+
+*security_commit_booleans* - *selinux.h*
+
+Commit the pending values for the booleans.
+
+*security_compute_av*, *security_compute_av_raw* - *selinux.h*
+
+Compute an access decision. Queries whether the policy permits the source
+context *scon* to access the target context *tcon* via class *tclass* with
+the *requested* access vector. The decision is returned in *avd*.
+
+*security_compute_av_flags*, *security_compute_av_flags_raw* - *selinux.h*
+
+Compute an access decision and return the flags.
+Queries whether the policy permits the source context *scon* to access the
+target context *tcon* via class *tclass* with the *requested* access vector.
+The decision is returned in *avd*. that has an additional *flags* entry.
+Currently the only *flag* defined is *SELINUX_AVD_FLAGS_PERMISSIVE* that
+indicates the decision was computed on a permissive domain (i.e. the
+*permissive* policy language statement has been used in policy or
+***semanage**(8)* has been used to set the domain in permissive mode).
+Note this does not indicate that SELinux is running in permissive mode,
+only the *scon* domain.
+
+*security_compute_create*, *security_compute_create_raw* - *selinux.h*
+
+Compute a labeling decision and set *newcon to refer to it.
+Caller must free via ***freecon**(3)*.
+
+*security_compute_create_name*, *security_compute_create_name_raw* - *selinux.h*
+
+This is identical to* ***security_compute_create**(3)* but also takes the name
+of the new object in creation as an argument.
+When a *type_transition* rule on the given class and the *scon* / *tcon* pair
+has an object name extension, *newcon* will be returned according to the policy.
+Note that this interface is only supported on the kernels 2.6.40 or later.
+For older kernels the object name is ignored.
+
+*security_compute_member*, *security_compute_member_raw* - *selinux.h*
+
+Compute a polyinstantiation member decision and set *newcon to refer to it.
+Caller must free via ***freecon**(3)*.
+
+*security_compute_relabel*, *security_compute_relabel_raw* - *selinux.h*
+
+Compute a relabeling decision and set *\*newcon* to refer to it.
+Caller must free via ***freecon**(3)*.
+
+*security_compute_user*, security_compute_user_raw* (deprecated) - *selinux.h*
+
+Compute the set of reachable user contexts and set *\*con* to refer to the
+NULL-terminated array of contexts. Caller must free via ***freeconary**(3)*.
+
+*security_deny_unknown* - *selinux.h*
+
+Get the behavior for undefined classes / permissions.
+
+*security_disable* - *selinux.h*
+
+Disable SELinux at runtime (must be done prior to initial policy load).
+
+*security_get_boolean_active* - *selinux.h*
+
+Get the active value for the boolean.
+
+*security_get_boolean_names* - *selinux.h*
+
+Get the boolean names
+
+*security_get_boolean_pending* - *selinux.h*
+
+Get the pending value for the boolean.
+
+*security_get_initial_context*, *security_get_initial_context_raw* - *selinux.h*
+
+Get the context of an initial kernel security identifier by name.
+Caller must free via ***freecon**(3)*.
+
+*security_getenforce* - *selinux.h*
+
+Get the enforce flag value.
+
+*security_load_booleans* (deprecated) - *selinux.h*
+
+Load policy boolean settings. Path may be NULL, in which case the booleans
+are loaded from the active policy boolean configuration file.
+
+*security_load_policy* - *selinux.h*
+
+Load a policy configuration.
+
+*security_policyvers* - *selinux.h*
+
+Get the policy version number.
+
+*security_set_boolean* - *selinux.h*
+
+Set the pending value for the boolean.
+
+*security_set_boolean_list* - *selinux.h*
+
+Save a list of booleans in a single transaction.
+
+*security_setenforce* - *selinux.h*
+
+Set the enforce flag value.
+
+*security_validatetrans*, *security_validatetrans_raw* - *selinux.h*
+
+Validate a transition. This determines whether a transition from *scon*
+to *newcon* using *tcon* as the target for object class *tclass* is valid in
+the loaded policy. This checks against the *mlsvalidatetrans* and
+*validatetrans* constraints in the loaded policy.
+Returns 0 if allowed and -1 if an error occurred with errno set.
+
+*selabel_close* - *label.h*
+
+Destroy the specified handle, closing files, freeing allocated memory, etc.
+The handle may not be further used after it has been closed.
+
+*selabel_cmp* - *label.h*
+
+Compare two label configurations. Returns:
+
+- *SELABEL_SUBSET* - if *h1* is a subset of *h2*
+- *SELABEL_EQUAL* - if *h1* is identical to *h2*
+- *SELABEL_SUPERSET* - if *h1* is a superset of *h2*
+- *SELABEL_INCOMPARABLE* - if *h1* and *h2* are incomparable
+
+*selabel_digest* - *label.h*
+
+Retrieve the SHA1 digest and the list of specfiles used to generate the digest.
+The *SELABEL_OPT_DIGEST* option must be set in ***selabel_open**(3)* to
+initiate the digest generation.
+
+*selabel_get_digests_all_partial_matches* - *label.h*
+
+Returns true if the digest of all partial matched contexts is the same as the
+one saved by ***setxattr**(2)*, otherwise returns false. The length of the
+SHA1 digest will always be returned. The caller must free any returned digests.
+
+*selabel_hash_all_partial_matches* - *label.h*
+
+Returns true if the digest of all partial matched contexts is the same as the
+one saved by ***setxattr**(2)*, otherwise returns false.
+
+*selabel_lookup*, *selabel_lookup_raw* - *label.h*
+
+Perform a labeling lookup operation. Return 0 on success, -1 with *errno*
+set on failure. The *key* and *type* arguments are the inputs to the lookup
+operation; appropriate values are dictated by the backend in use.
+The result is returned in the memory pointed to by *con* and must be freed by
+***freecon**(3)*.
+
+*selabel_lookup_best_match*, *selabel_lookup_best_match_raw* - *label.h*
+
+Obtain a best match SELinux security context - Only supported on file backend.
+The order of precedence for best match is:
+
+- An exact match for the real path (key) or
+- An exact match for any of the links (aliases), or
+- The longest fixed prefix match.
+
+*selabel_open* - *label.h*
+
+Create a labeling handle. Open a labeling backend for use.
+The available backend identifiers are:
+
+- *SELABEL_CTX_FILE* - *file_contexts*.
+- *SELABEL_CTX_MEDIA* - media contexts.
+- *SELABEL_CTX_X* - *x_contexts*.
+- *SELABEL_CTX_DB* - SE-PostgreSQL contexts.
+- *SELABEL_CTX_ANDROID_PROP* – *property_contexts*.
+- *SELABEL_CTX_ANDROID_SERVICE* – *service_contexts*.
+
+Options may be provided via the *opts* parameter; available options are:
+
+- *SELABEL_OPT_UNUSED* - no-op option, useful for unused slots in an array of
+  options.
+- *SELABEL_OPT_VALIDATE* - validate contexts before returning them
+  (boolean value).
+- *SELABEL_OPT_BASEONLY* - don't use local customizations to backend data
+  (boolean value).
+- *SELABEL_OPT_PATH* - specify an alternate path to use when loading backend
+  data.
+- *SELABEL_OPT_SUBSET* - select a subset of the search space as an
+  optimization (file backend).
+- *SELABEL_OPT_DIGEST* – request an SHA1 digest of the specfiles.
+
+Not all options may be supported by every backend.
+Return value is the created handle on success or NULL with errno set on failure.
+
+*selabel_partial_match* - *label.h*
+
+Performs a partial match operation, returning TRUE or FALSE.
+The *key* parameter is a file *path* to check for a direct or partial match.
+Returns TRUE if a direct or partial match is found, FALSE if not.
+
+*selabel_stats* - *label.h*
+
+Log a message with information about the number of queries performed, number
+of unused matching entries, or other operational statistics.
+Message is backend-specific, some backends may not output a message.
+
+*selinux_binary_policy_path* - *selinux.h*
+
+Return path to the binary policy file under the policy root directory.
+
+*selinux_booleans_path* (deprecated) - *selinux.h*
+
+Return path to the booleans file under the policy root directory.
+
+*selinux_boolean_sub* - *selinux.h*
+
+Reads the */etc/selinux/TYPE/booleans.subs_dist* file looking for a record
+with *boolean_name*. If a record exists ***selinux_boolean_sub**(3)* returns
+the translated name otherwise it returns the original name.
+The returned value needs to be freed. On failure NULL will be returned.
+
+*selinux_booleans_subs_path* - *selinux.h*
+
+Returns the path to the *booleans.subs_dist* configuration file.
+
+*selinux_check_access* - *selinux.h*
+
+Used to check if the source context has the access permission for the specified
+class on the target context. Note that the permission and class are reference
+strings. The *aux* parameter may reference supplemental auditing information.
+Auditing is handled as described in ***avc_audit**(3)*.
+See ***security_deny_unknown**(3)* for how the *deny_unknown* flag can
+influence policy decisions.
+
+*selinux_check_passwd_access* (deprecated) - *selinux.h*
+
+Use ***selinux_check_access**(3)*. Check a permission in the passwd class.
+Return 0 if granted or -1 otherwise.
+
+*selinux_check_securetty_context* - *selinux.h*
+
+Check if the tty_context is defined as a securetty. Return 0 if secure,
+\< 0 otherwise.
+
+*selinux_colors_path* - *selinux.h*
+
+Return path to file under the policy root directory.
+
+*selinux_contexts_path* - *selinux.h*
+
+Return path to contexts directory under the policy root directory.
+
+*selinux_current_policy_path* - *selinux.h*
+
+Return path to the current policy.
+
+*selinux_customizable_types_path* - *selinux.h*
+
+Return path to customizable_types file under the policy root directory.
+
+*selinux_default_context_path* - *selinux.h*
+
+Return path to default_context file under the policy root directory.
+
+*selinux_default_type_path* - *get_default_type.h*
+
+Return path to *default_type* file.
+
+*selinux_failsafe_context_path* - *selinux.h*
+
+Return path to failsafe_context file under the policy root directory.
+
+*selinux_file_context_cmp* - *selinux.h*
+
+Compare two file contexts, return 0 if equivalent.
+
+*selinux_file_context_homedir_path* - *selinux.h*
+
+Return path to *file_context.homedir* file under the policy root directory.
+
+*selinux_file_context_local_path* - *selinux.h*
+
+Return path to *file_context.local* file under the policy root directory.
+
+*selinux_file_context_path* - *selinux.h*
+
+Return path to *file_context* file under the policy root directory.
+
+*selinux_file_context_subs_path* - *selinux.h*
+
+Return path to *file_context.subs* file under the policy root directory.
+
+*selinux_file_context_subs_dist_path* - *selinux.h*
+
+Return path to *file_context.subs_dist* file under the policy root directory.
+
+*selinux_file_context_verify* - *selinux.h*
+
+Verify the context of the file *path* against policy. Return 0 if correct.
+
+*selinux_get_callback* - *selinux.h*
+
+Used to get a pointer to the callback function of the given *type*.
+Callback functions are set using ***selinux_set_callback**(3)*.
+
+*selinux_getenforcemode* - *selinux.h*
+
+Reads the /etc/selinux/config file and determines whether the machine should
+be started in enforcing (1), permissive (0) or disabled (-1) mode.
+
+*selinux_getpolicytype* - *selinux.h*
+
+Reads the /*etc/selinux/config* file and determines what the default policy
+for the machine is. Calling application must free *policytype*.
+
+*selinux_homedir_context_path* - *selinux.h*
+
+Return path to file under the policy root directory. Note that this file will
+only appear in older versions of policy at this location. On systems that are
+managed using ***semanage**(8)* this is now in the policy store.
+
+*selinux_init_load_policy* - *selinux.h*
+
+Perform the initial policy load.
+This function determines the desired enforcing mode, sets the *enforce*
+argument accordingly for the caller to use, sets the SELinux kernel enforcing
+status to match it, and loads the policy. It also internally handles the
+initial *selinuxfs* mount required to perform these actions.
+The function returns 0 if everything including the policy load succeeds.
+In this case, init is expected to re-exec itself in order to transition to the
+proper security context. Otherwise, the function returns -1, and init must
+check *enforce* to determine how to proceed. If enforcing (*enforce* \> 0),
+then init should halt the system. Otherwise, init may proceed normally without
+a re-exec.
+
+*selinux_lsetfilecon_default* - *selinux.h*
+
+This function sets the file context to the system defaults.
+Returns 0 on success.
+
+*selinux_lxc_contexts_path* - *selinux.h*
+
+Return the path to the *lxc_contexts* configuration file.
+
+*selinux_media_context_path* - *selinux.h*
+
+Return path to file under the policy root directory.
+
+*selinux_mkload_policy* - *selinux.h*
+
+Make a policy image and load it.
+This function provides a higher level interface for loading policy than
+***security_load_policy**(3)*, internally determining the right policy version,
+locating and opening the policy file, mapping it into memory, manipulating
+it as needed for current boolean settings and/or local definitions, and then
+calling ***security_load_policy**(3)* to load it.
+*preservebools* is a boolean flag indicating whether current policy boolean
+values should be preserved into the new policy (if 1) or reset to the saved
+policy settings (if 0). The former case is the default for policy reloads,
+while the latter case is an option for policy reloads but is primarily for the
+initial policy load.
+
+*selinux_netfilter_context_path* - *selinux.h*
+
+Returns path to the netfilter_context file under the policy root directory.
+
+*selinux_path* - *selinux.h*
+
+Returns path to the policy root directory.
+
+*selinux_policy_root* - *selinux.h*
+
+Reads the /etc/selinux/config file and returns the top level directory.
+
+*selinux_raw_context_to_color* - *selinux.h*
+
+Perform context translation between security contexts and display colors.
+Returns a space-separated list of ten ten hex RGB triples prefixed by
+hash marks, e.g. *#ff0000*. Caller must free the resulting string
+via ***free**(3)*. Returns -1 upon an error or 0 otherwise.
+
+*selinux_raw_to_trans_context* - *selinux.h*
+
+Perform context translation between the human-readable format (*translated*)
+and the internal system format (*raw*). Caller must free the resulting context
+via ***freecon**(3)*. Returns -1 upon an error or 0 otherwise.
+If passed NULL, sets the returned context to NULL and returns 0.
+
+*selinux_removable_context_path* - *selinux.h*
+
+Return path to *removable_context* file under the policy root directory.
+
+*selinux_restorecon* - *restorecon.h*
+
+Relabel files that automatically calls ***selinux_restorecon_default_handle**(3)* and ***selinux_restorecon_set_sehandle**(3)* first time through to set the ***selabel_open**(3)* parameters to use the currently loaded policy *file_contexts* and request their computed digest.
+Should other ***selabel_open**(3)* parameters be required see ***selinux_restorecon_set_sehandle**(3)*.
+
+*selinux_restorecon_xattr* - *restorecon.h*
+
+Read/remove *RESTORECON_LAST* xattr entries that automatically calls ***selinux_restorecon_default_handle**(3)* and ***selinux_restorecon_set_sehandle**(3)* first time through to set the ***selabel_open**(3)* parameters to use the currently loaded policy *file_contexts* and request their computed digest.
+Should other ***selabel_open**(3)* parameters be required see ***selinux_restorecon_set_sehandle**(3)*, however note that a *file_contexts* computed digest is required for ***selinux_restorecon_xattr**(3)*.
+
+*selinux_restorecon_default_handle* - *restorecon.h*
+
+Sets default ***selabel_open**(3)* parameters to use the currently loaded policy and *file_contexts*, also requests the digest.
+
+*selinux_restorecon_set_alt_rootpath* - *restorecon.h*
+
+Use alternate rootpath.
+
+*selinux_restorecon_set_exclude_list* - *restorecon.h*
+
+Add a list of directories that are to be excluded from relabeling.
+
+*selinux_restorecon_set_sehandle* - *restorecon.h*
+
+Set the global fc handle. Called by a process that has already called ***selabel_open**(3)* with its required parameters, or if ***selinux_restorecon_default_handle**(3)* has been called to set the default ***selabel_open**(3)* parameters.
+
+*selinux_securetty_types_path* - *selinux.h*
+
+Return path to the securetty_types file under the policy root directory.
+
+*selinux_sepgsql_context_path* - *selinux.h*
+
+*Return path to *sepgsql_context* file under the policy root directory.
+
+*selinux_set_callback* - *selinux.h*
+
+Sets the callback according to the type: *SELINUX_CB_LOG*, *SELINUX_CB_AUDIT*, *SELINUX_CB_VALIDATE*, *SELINUX_CB_SETENFORCE*, *SELINUX_CB_POLICYLOAD*
+
+*selinux_set_mapping* - *selinux.h*
+
+Userspace class mapping support that establishes a mapping from a user-provided ordering of object classes and permissions to the numbers actually used by the loaded system policy.
+
+*selinux_set_policy_root* - *selinux.h*
+
+Sets an alternate policy root directory path under which the compiled policy file and context configuration files exist.
+
+*selinux_status_open* - *avc.h*
+
+Open and map SELinux kernel status page.
+
+*selinux_status_close* - *avc.h*
+
+Unmap and close kernel status page.
+
+*selinux_status_updated* - *avc.h*
+
+Inform whether the kernel status has been updated.
+
+*selinux_status_getenforce* - *avc.h*
+
+Get the enforce flag value.
+
+*selinux_status_policyload* - *avc.h*
+
+Get the number of policy loads.
+
+*selinux_status_deny_unknown* - *avc.h*
+
+Get behaviour for undefined classes/permissions.
+
+*selinux_systemd_contexts_path* - *selinux.h*
+
+Returns the path to the *systemd_contexts* configuration file.
+
+*selinux_reset_config* - *selinux.h*
+
+Force a reset of the loaded configuration. **WARNING**: This is not thread safe.
+Be very sure that no other threads are calling into *libselinux* when this
+is called.
+
+*selinux_trans_to_raw_context* - *selinux.h*
+
+Perform context translation between the human-readable format (*translated*)
+and the internal system format (*raw*). Caller must free the resulting context
+via ***freecon**(3)*. Returns -1 upon an error or 0 otherwise.
+If passed NULL, sets the returned context to NULL and returns 0.
+
+*selinux_translations_path* - *selinux.h*
+
+Return path to setrans.conf file under the policy root directory.
+
+*selinux_user_contexts_path* - *selinux.h*
+
+Return path to file under the policy root directory.
+
+*selinux_users_path* (deprecated) - *selinux.h*
+
+Return path to file under the policy root directory.
+
+*selinux_usersconf_path* - *selinux.h*
+
+Return path to file under the policy root directory.
+
+*selinux_virtual_domain_context_path* - *selinux.h*
+
+Return path to file under the policy root directory.
+
+*selinux_virtual_image_context_path* - *selinux.h*
+
+Return path to file under the policy root directory.
+
+*selinux_x_context_path* - *selinux.h*
+
+Return path to x_context file under the policy root directory.
+
+*selinuxfs_exists* - *selinux.h*
+
+Check if selinuxfs exists as a kernel filesystem.
+
+*set_matchpathcon_canoncon* (deprecated) - *selinux.h*
+
+Same as ***set_matchpathcon_invalidcon**(3)*, but also allows canonicalization
+of the context, by changing *context* to refer to the canonical form.
+If not set, and *invalidcon* is also not set, then this defaults to calling
+***security_canonicalize_context**(3)*.
+
+*set_matchpathcon_flags* (deprecated) - *selinux.h*
+
+Set flags controlling operation of ***matchpathcon_init**(3)* or
+***matchpathcon**(3)*:
+
+- *MATCHPATHCON_BASEONLY* - Only process the base file_contexts file.
+- *MATCHPATHCON_NOTRANS* - Do not perform any context translation.
+- *MATCHPATHCON_VALIDATE* - Validate/canonicalize contexts at init time.
+
+*set_matchpathcon_invalidcon* (deprecated) - *selinux.h*
+
+Set the function used by ***matchpathcon_init**(3)* when checking the validity
+of a context in the *file_contexts* configuration. If not set, then this
+defaults to a test based on ***security_check_context**(3)*. The function is
+also responsible for reporting any such error, and may include the *path* and
+*lineno* in such error messages.
+
+*set_matchpathcon_printf* (deprecated) - *selinux.h*
+
+Set the function used by ***matchpathcon_init**(3)* when displaying errors
+about the *file_contexts* configuration. If not set, then this defaults
+to *fprintf(stderr, fmt, ...)*.
+
+*set_selinuxmnt* - *selinux.h*
+
+Set the path to the selinuxfs mount point explicitly. Normally, this is
+determined automatically during libselinux initialization, but this is not
+always possible, e.g. for /sbin/init which performs the initial mount of
+*selinuxfs*.
+
+*setcon*, *setcon_raw* - *selinux.h*
+
+Set the current security context to con.
+Note that use of this function requires that the entire application be trusted
+to maintain any desired separation between the old and new security contexts,
+unlike exec-based transitions performed via ***setexeccon**(3)*.
+When possible, decompose your application and use ***setexeccon**(3)* +
+***execve**(3)* instead. Note that the application may lose access to its
+open descriptors as a result of a ***setcon**(3)* unless policy allows it to
+use descriptors opened by the old context.
+
+*setexeccon*, *setexeccon_raw* - *selinux.h*
+
+Set exec security context for the next ***execve**(3)*.
+Call with NULL if you want to reset to the default.
+
+*setexecfilecon* - *selinux.h*
+
+Set an appropriate security context based on the filename of a helper program,
+falling back to a new context with the specified type.
+
+*setfilecon*, *setfilecon_raw* - *selinux.h*
+
+Wrapper for the xattr API - Set file context.
+
+*setfscreatecon*, *setfscreatecon_raw* - *selinux.h*
+
+Set the fscreate security context for subsequent file creations.
+Call with NULL if you want to reset to the default.
+
+*setkeycreatecon*, *setkeycreatecon_raw* - *selinux.h*
+
+Set the keycreate security context for subsequent key creations.
+Call with NULL if you want to reset to the default.
+
+*setsockcreatecon*, *setsockcreatecon_raw* - *selinux.h*
+
+Set the sockcreate security context for subsequent socket creations.
+Call with NULL if you want to reset to the default.
+
+*sidget* (deprecated) - *avc.h*
+
+From 2.0.86 this is a no-op.
+
+*sidput* (deprecated) - *avc.h*
+
+From 2.0.86 this is a no-op.
+
+*string_to_av_perm* - *selinux.h*
+
+Convert string names to access vector permissions.
+
+*string_to_security_class* - *selinux.h*
+
+Convert string names to security class values.
 
 <!-- %CUTHERE% -->
 

From patchwork Wed Sep  2 13:17:27 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Richard Haines <richard_c_haines@btinternet.com>
X-Patchwork-Id: 11772479
Return-Path: <SRS0=5TeY=CW=vger.kernel.org=selinux-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8CCD2746
	for <patchwork-selinux@patchwork.kernel.org>;
 Sun, 13 Sep 2020 21:59:52 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 4DE3020756
	for <patchwork-selinux@patchwork.kernel.org>;
 Sun, 13 Sep 2020 21:59:52 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com
 header.b="iBouZVpY"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725983AbgIMV7w (ORCPT
        <rfc822;patchwork-selinux@patchwork.kernel.org>);
        Sun, 13 Sep 2020 17:59:52 -0400
Received: from mailomta12-sa.btinternet.com ([213.120.69.18]:27904 "EHLO
        sa-prd-fep-047.btinternet.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1725939AbgIMV7v (ORCPT
        <rfc822;selinux@vger.kernel.org>); Sun, 13 Sep 2020 17:59:51 -0400
Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6])
          by sa-prd-fep-048.btinternet.com with ESMTP
          id
 <20200902131744.PPI4139.sa-prd-fep-048.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>;
          Wed, 2 Sep 2020 14:17:44 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com;
 s=btmx201904; t=1599052664;
        bh=sfiuhwBUJQVlhXbUwLOWJd+LDRIe8+TqXRPJzyYbaaM=;
        h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version;
        b=iBouZVpYgCr8IrWyVab8ZyuQ9ti6kOgO/sOMUtwuYALISiyvnhRx3af57DOIbh9z5i+xS3RpLLPIR1oJO+zq3A5JsVMVLQJu8LLg8DrBNoEeO1NKiWlItB2C4LvRo+uN96J4cbCcIoch8/vcDKjHstjl3k1Datd6GmjC9agU2nKOph+UP1m+wUaFNO3VWudmgJuPNv7R4w0AVBpptZmpRt0N7DFjsU9wlT93s6Ooks1mctIpc1TMbETbnrFkYu9b6qw/6X11zkr+akW0ZgUJ1I40ZqNVMV4nGra1HgBXPTFdkfA+Dd1y146gj2DMMpPpFQ9xLCGIA8hHK8/aOXWiIg==
Authentication-Results: btinternet.com; none
X-Originating-IP: [109.155.32.197]
X-OWM-Source-IP: 109.155.32.197 (GB)
X-OWM-Env-Sender: richard_c_haines@btinternet.com
X-VadeSecure-score: verdict=clean score=0/300, class=clean
X-RazorGate-Vade: 
 gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq
X-RazorGate-Vade-Verdict: clean 0
X-RazorGate-Vade-Classification: clean
X-SNCR-hdrdom: btinternet.com
Received: from localhost.localdomain (109.155.32.197) by
 sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as
 richard_c_haines@btinternet.com)
        id 5ED9AFBE0EF36B74; Wed, 2 Sep 2020 14:17:44 +0100
From: Richard Haines <richard_c_haines@btinternet.com>
To: paul@paul-moore.com, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH 02/13] mac: Tidy formatting
Date: Wed,  2 Sep 2020 14:17:27 +0100
Message-Id: <20200902131738.18425-3-richard_c_haines@btinternet.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com>
References: <20200902131738.18425-1-richard_c_haines@btinternet.com>
MIME-Version: 1.0
Sender: selinux-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/mac.md | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/src/mac.md b/src/mac.md
index 7b88c24..7f673fe 100644
--- a/src/mac.md
+++ b/src/mac.md
@@ -9,13 +9,13 @@ Each of the subjects and objects have a set of security attributes that
 can be interrogated by the operating system to check if the requested
 operation can be performed or not. For SELinux the:
 
--   [**subjects**](subjects.md#subjects) are processes.
--   [**objects**](objects.md#objects) are system resources such as files,
-    sockets, etc.
--   security attributes are the [**security context**](security_context.md#security-context).
--   Security Server within the Linux kernel authorizes access (or not)
-    using the security policy (or policy) that describes rules that must
-    be enforced.
+- [**subjects**](subjects.md#subjects) are processes.
+- [**objects**](objects.md#objects) are system resources such as files,
+  sockets, etc.
+- security attributes are the [**security context**](security_context.md#security-context).
+- Security Server within the Linux kernel authorizes access (or not)
+  using the security policy (or policy) that describes rules that must
+  be enforced.
 
 Note that the subject (and therefore the user) cannot decide to bypass
 the policy rules being enforced by the MAC policy with SELinux enabled.
@@ -35,8 +35,8 @@ SELinux supports two forms of MAC:
 objects are controlled by policy. This is the implementation used for
 general purpose MAC within SELinux along with Role Based Access Control.
 The [**Type Enforcement (TE)**](type_enforcement.md#type-enforcement) and
-[**Role Based Access Control**](rbac.md#role-based-access-control) sections covers
-these in more detail.
+[**Role Based Access Control**](rbac.md#role-based-access-control) sections
+covers these in more detail.
 
 **Multi-Level Security** - This is an implementation based on the
 Bell-La Padula (BLP) model, and used by organizations where different
@@ -51,14 +51,14 @@ Multi-Category Security (MCS).
 The MLS / MCS services are now more generally used to maintain
 application separation, for example SELinux enabled:
 
--   virtual machines use MCS categories to allow each VM to run within
-    its own domain to isolate VMs from each other (see the
-    [**SELinux Virtual Machine Support**](vm_support.md#selinux-virtual-machine-support)
-    section).
--   Android devices use dynamically generated MCS categories so that an
-    app running on behalf of one user cannot read or write files created
-    by the same app running on behalf of another user (see the
-    [**Security Enhancements for Android - Computing a Context**](seandroid.md#computing-process-context-examples) section).
+- virtual machines use MCS categories to allow each VM to run within
+  its own domain to isolate VMs from each other (see the
+  [**SELinux Virtual Machine Support**](vm_support.md#selinux-virtual-machine-support)
+  section).
+- Android devices use dynamically generated MCS categories so that an
+  app running on behalf of one user cannot read or write files created
+  by the same app running on behalf of another user (see the
+  [**Security Enhancements for Android - Computing a Context**](seandroid.md#computing-process-context-examples) section).
 
 <!-- %CUTHERE% -->
 

From patchwork Wed Sep  2 13:17:28 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Richard Haines <richard_c_haines@btinternet.com>
X-Patchwork-Id: 11775933
Return-Path: <SRS0=vGri=CY=vger.kernel.org=selinux-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 002DE139F
	for <patchwork-selinux@patchwork.kernel.org>;
 Tue, 15 Sep 2020 09:37:17 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id ABC512080C
	for <patchwork-selinux@patchwork.kernel.org>;
 Tue, 15 Sep 2020 09:37:16 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com
 header.b="BbIxsh0f"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726119AbgIOJhQ (ORCPT
        <rfc822;patchwork-selinux@patchwork.kernel.org>);
        Tue, 15 Sep 2020 05:37:16 -0400
Received: from mailomta10-sa.btinternet.com ([213.120.69.16]:14299 "EHLO
        sa-prd-fep-048.btinternet.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1726102AbgIOJhP (ORCPT
        <rfc822;selinux@vger.kernel.org>); Tue, 15 Sep 2020 05:37:15 -0400
Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6])
          by sa-prd-fep-042.btinternet.com with ESMTP
          id
 <20200902131745.VSZA26396.sa-prd-fep-042.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>;
          Wed, 2 Sep 2020 14:17:45 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com;
 s=btmx201904; t=1599052665;
        bh=5PGcYHMCN3Fy+tNhHTEN/QK+aIfiTYzRERfSRkoyMuk=;
        h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version;
        b=BbIxsh0fPqlPFIH4zu5NuLDBWL+cRUKkhnIwpORb576H7yAam45ug6pdKhZIHxz9SuwCmG7fEn5cCXoqcfASpr9sRGBbp7z8Hix6zndi1RUprT95i0bUd5PgEJa5PmpP+6WBtUlhMGVYqkQnyjOXezCIuB662Po0S8ms90qZfUw/FC2VNltR2w+5rvj6KiwENYuvbDOtvnwOpB7vxG2n89531xBbKEraPqgHfEHqmYerFGDeXdGvxGoW2w/UeCl2+dOq5w0iOMxDsSSGxiozqoFuTG6ynLIMcbANAsYJiz19yyMpEpzCHLPaM0Io26xo6Zrx/Gafn8dO0n2qTH9lbw==
Authentication-Results: btinternet.com; none
X-Originating-IP: [109.155.32.197]
X-OWM-Source-IP: 109.155.32.197 (GB)
X-OWM-Env-Sender: richard_c_haines@btinternet.com
X-VadeSecure-score: verdict=clean score=0/300, class=clean
X-RazorGate-Vade: 
 gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq
X-RazorGate-Vade-Verdict: clean 0
X-RazorGate-Vade-Classification: clean
X-SNCR-hdrdom: btinternet.com
Received: from localhost.localdomain (109.155.32.197) by
 sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as
 richard_c_haines@btinternet.com)
        id 5ED9AFBE0EF36B7F; Wed, 2 Sep 2020 14:17:45 +0100
From: Richard Haines <richard_c_haines@btinternet.com>
To: paul@paul-moore.com, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH 03/13] modular_policy_statements: Convert to markdown
Date: Wed,  2 Sep 2020 14:17:28 +0100
Message-Id: <20200902131738.18425-4-richard_c_haines@btinternet.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com>
References: <20200902131738.18425-1-richard_c_haines@btinternet.com>
MIME-Version: 1.0
Sender: selinux-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

Add a TOC to aid navigation and convert to markdown.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/modular_policy_statements.md | 229 +++++++++++++------------------
 1 file changed, 95 insertions(+), 134 deletions(-)

diff --git a/src/modular_policy_statements.md b/src/modular_policy_statements.md
index e829e32..e62e6ac 100644
--- a/src/modular_policy_statements.md
+++ b/src/modular_policy_statements.md
@@ -1,5 +1,9 @@
 # Modular Policy Support Statements
 
+- [*module*](#module)
+- [*require*](#require)
+- [*optional*](#optional)
+
 This section contains statements used to support policy modules. They are
 not part of the kernel policy language.
 
@@ -9,7 +13,7 @@ This statement is mandatory for loadable modules (non-base) and must be
 the first line of any module policy source file. The identifier should
 not conflict with other module names within the overall policy,
 otherwise it will over-write an existing module when loaded via the
-semodule command. The ***semodule -l*** command can be used to list all active
+semodule command. The *semodule -l* command can be used to list all active
 modules within the policy.
 
 **The statement definition is:**
@@ -20,49 +24,32 @@ module module_name version_number;
 
 **Where:**
 
-<table>
-<tbody>
-<tr>
-<td><code>module</code></td>
-<td>The <code>module</code> keyword.</td>
-</tr>
-<tr>
-<td><code>module_name</code></td>
-<td>The <code>module</code> name. </td>
-</tr>
-<tr>
-<td><code>version_number</code></td>
-<td>The module version number in M.m.m format (where M = major version number and m = minor version numbers).</td>
-</tr>
-</tbody>
-</table>
+*module*
+
+The *module* keyword.
+
+*module_name*
+
+The *module* name.
+
+*version_number*
+
+The module version number in M.m.m format (where M = major version number
+and m = minor version numbers).
 
 **The statement is valid in:**
 
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy       | Base Policy             | Module Policy           |
+| ----------------------- | ----------------------- | ----------------------- |
+| No                      | No                      | Yes                     |
+
+Conditional Policy Statements
+
+| *if* Statement          | *optional* Statement    | *require* Statement     |
+| ----------------------- | ----------------------- | ----------------------- |
+| No                      | No                      | No                      |
 
 **Example:**
 
@@ -77,15 +64,15 @@ module bind 1.0.0;
 
 The require statement is used for two reasons:
 
-1.  Within loadable module policy source files to indicate what policy
-    components are required from an external source file (i.e. they are
-    not explicitly defined in this module but elsewhere). The examples
-    below show the usage.
-2.  Within a base policy source file, but only if preceded by the
-    [***optional***](#optional) to indicate what policy components
-    are required from an external source file (i.e. they are not
-    explicitly defined in the base policy but elsewhere). The examples
-    below show the usage.
+1. Within loadable module policy source files to indicate what policy
+   components are required from an external source file (i.e. they are
+   not explicitly defined in this module but elsewhere). The examples
+   below show the usage.
+2. Within a base policy source file, but only if preceded by the
+   [***optional***](#optional) to indicate what policy components
+   are required from an external source file (i.e. they are not
+   explicitly defined in the base policy but elsewhere). The examples
+   below show the usage.
 
 **The statement definition is:**
 
@@ -95,49 +82,38 @@ require { rule_list }
 
 **Where:**
 
-<table>
-<tbody>
-<tr>
-<td><code>require</code></td>
-<td>The <code>require</code> keyword.</td>
-</tr>
-<tr>
-<td><code>require_list</code></td>
-<td><p>One or more specific statement keywords with their required identifiers in a semi-colon ';' separated list enclosed within braces '{}'. </p>
-<p>The valid statement keywords are:</p>
-<p><code>role</code>, <code>type</code>, <code>attribute</code>, <code>user</code>, <code>bool</code>, <code>sensitivity</code> and <code>category</code>. The keyword is followed by one or more identifiers in a comma ',' separated list, with the last entry being terminated with a semi-colon (;).</p>
-<p><code>class</code> - The class keyword is followed by a single object class identifier and one or more permissions. Multiple permissions consist of a space separated list enclosed within braces '{}'. The list is then terminated with a semi-colon ';'.</p>
-<p>The examples below show these in detail.</p></td>
-</tr>
-</tbody>
-</table>
+*require*
+
+The *require* keyword.
+
+*require_list*
+
+One or more specific statement keywords with their required identifiers
+in a semi-colon ';' separated list enclosed within braces '{}'. The examples
+below show these in detail. The valid statement keywords are:
+
+- *role*, *type*, *attribute*, *user*, *bool*, *sensitivity* and
+  *category* - The keyword is followed by one or more identifiers in a
+  comma ',' separated list, with the last entry being terminated with a
+  semi-colon ';'.
+- *class* - The class keyword is followed by a single object class identifier
+  and one or more permissions. Multiple permissions consist of a space
+  separated list enclosed within braces '{}'. The list is then terminated
+  with a semi-colon ';'.
 
 **The statement is valid in:**
 
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>Yes - But only if proceeded by the <code>optional</code> Statement</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>Yes - But only if proceeded by the <code>optional</code> Statement</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy       | Base Policy             | Module Policy           |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | Yes (only if proceeded by the *optional* Statement) | Yes              |
+
+Conditional Policy Statements
+
+| *if* Statement          | *optional* Statement    | *require* Statement     |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes (only if proceeded by the *optional* Statement) | Yes       | No        |
 
 **Examples:**
 
@@ -183,53 +159,38 @@ optional { rule_list } [ else { rule_list } ]
 
 **Where:**
 
-<table>
-<tbody>
-<tr>
-<td><code>optional</code></td>
-<td>The <code>optional</code> keyword.</td>
-</tr>
-<tr>
-<td><code>rule_list</code></td>
-<td>One or more statements enclosed within braces '{}'. The list of valid statements is given in <em><a href="kernel_policy_language.md#kernel-policy-language"><strong>Table 3:</strong> The policy language statements and rules that are allowed within each type of policy source file</a></em>.</td>
-</tr>
-<tr>
-<td><code>else</code></td>
-<td>An optional <code>else</code> keyword.</td>
-</tr>
-<tr>
-<td><code>rule_list</code></td>
-<td>As the <code>rule_list</code> above.</td>
-</tr>
-</tbody>
-</table>
+*optional*
+
+The *optional* keyword.
+
+*rule_list*
+
+One or more statements enclosed within braces '{}'. The list of valid
+statements is given in
+[**Table 3:** of the Kernel Policy Language](kernel_policy_language.md#kernel-policy-language)
+section.
+
+*else*
+
+An optional *else* keyword.
+
+*rule_list*
+
+As the *rule_list* above.
 
 **The statement is valid in:**
 
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy       | Base Policy             | Module Policy           |
+| ----------------------- | ----------------------- | ----------------------- |
+| No                      | Yes                     | Yes                     |
+
+Conditional Policy Statements
+
+| *if* Statement          | *optional* Statement    | *require* Statement     |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes                     | Yes                     | Yes                     |
 
 **Examples:**
 

From patchwork Wed Sep  2 13:17:29 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Richard Haines <richard_c_haines@btinternet.com>
X-Patchwork-Id: 11778931
Return-Path: <SRS0=BB3M=CZ=vger.kernel.org=selinux-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 17610618
	for <patchwork-selinux@patchwork.kernel.org>;
 Wed, 16 Sep 2020 05:16:09 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id A529720936
	for <patchwork-selinux@patchwork.kernel.org>;
 Wed, 16 Sep 2020 05:16:08 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com
 header.b="l9Kar5KU"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726069AbgIPFQI (ORCPT
        <rfc822;patchwork-selinux@patchwork.kernel.org>);
        Wed, 16 Sep 2020 01:16:08 -0400
Received: from mailomta29-sa.btinternet.com ([213.120.69.35]:44954 "EHLO
        sa-prd-fep-046.btinternet.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1726068AbgIPFQH (ORCPT
        <rfc822;selinux@vger.kernel.org>); Wed, 16 Sep 2020 01:16:07 -0400
Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6])
          by sa-prd-fep-045.btinternet.com with ESMTP
          id
 <20200902131745.VNDB4112.sa-prd-fep-045.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>;
          Wed, 2 Sep 2020 14:17:45 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com;
 s=btmx201904; t=1599052665;
        bh=7UovMaRWkhQ2n9+fT5lDImm1PPTEFwBvyFQOiVXNBxw=;
        h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version;
        b=l9Kar5KUK+ut1kPFWubuO2J5uMDC10tu6mxcOBc30vUqtpqJvZ7wJvonXjn2vw28N+Z4tpxG0/LSK4hwtPci/IRVI/E+xNPAmTAsZWX1Neb5ZF1rlxrhp+ElxpYwvhWC98JprryRQtLDz997cR8HE2V+dJJoz4W5ZMr+omx8xXrVnAu+yQdL6d+ojzVTofsGVDtJMXJa0ghk4synEUladEGYdelDUNEKg6V4BvQUbMP4M8XImP7WmyAldoKP1ECTzGNX2K7ZmldHV5h8GvoPJE8PEmWEu0Y0qgbR9zwWANk+zt8ebMsCb5sjNCLj4OMWsjEYPirA3BaXyDO6nZaivA==
Authentication-Results: btinternet.com; none
X-Originating-IP: [109.155.32.197]
X-OWM-Source-IP: 109.155.32.197 (GB)
X-OWM-Env-Sender: richard_c_haines@btinternet.com
X-VadeSecure-score: verdict=clean score=0/300, class=clean
X-RazorGate-Vade: 
 gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq
X-RazorGate-Vade-Verdict: clean 0
X-RazorGate-Vade-Classification: clean
X-SNCR-hdrdom: btinternet.com
Received: from localhost.localdomain (109.155.32.197) by
 sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as
 richard_c_haines@btinternet.com)
        id 5ED9AFBE0EF36B91; Wed, 2 Sep 2020 14:17:45 +0100
From: Richard Haines <richard_c_haines@btinternet.com>
To: paul@paul-moore.com, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH 04/13] network_statements: Convert to markdown
Date: Wed,  2 Sep 2020 14:17:29 +0100
Message-Id: <20200902131738.18425-5-richard_c_haines@btinternet.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com>
References: <20200902131738.18425-1-richard_c_haines@btinternet.com>
MIME-Version: 1.0
Sender: selinux-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

Add a TOC to aid navigation and convert to markdown.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/network_statements.md | 261 ++++++++++++++++----------------------
 1 file changed, 108 insertions(+), 153 deletions(-)

diff --git a/src/network_statements.md b/src/network_statements.md
index a1e3b88..8ba411e 100644
--- a/src/network_statements.md
+++ b/src/network_statements.md
@@ -1,5 +1,13 @@
 # Network Labeling Statements
 
+- [Network Address Formats](#network-address-formats)
+  - [IPv4 Address Format](#ipv4-address-format)
+  - [IPv6 Address Formats](#ipv6-address-formats)
+- [*netifcon*](#netifcon)
+- [*nodecon*](#nodecon)
+- [*portcon*](#portcon)
+
+
 The network labeling statements are used to label the following objects:
 
 **Network interfaces** - This covers those interfaces managed by the
@@ -28,6 +36,8 @@ sid node system_u:object_r:node_t:s0 - s15:c0.c255
 sid port system_u:object_r:port_t:s0
 ```
 
+## Network Address Formats
+
 ### IPv4 Address Format
 
 IPv4 addresses are represented in dotted-decimal notation (four
@@ -49,34 +59,30 @@ where each group is separated by a colon ':' as follows:
 To shorten the writing and presentation of addresses, the following
 rules apply:
 
-1.  Any leading zeros in a group may be replaced with a single '0' as
-    shown:
+Any leading zeros in a group may be replaced with a single '0' as shown:
 
 ```
 2001:db8:85a3:0:0:8a2e:370:7334
 ```
 
-2.  Any leading zeros in a group may be omitted and be replaced with two
-    colons '::', however this is only allowed once in an address as
-    follows:
+Any leading zeros in a group may be omitted and be replaced with two
+colons '::', however this is only allowed once in an address as follows:
 
 ```
 2001:db8:85a3::8a2e:370:7334
 ```
 
-3.  The *localhost* (loopback) address can be written as:
+The *localhost* (loopback) address can be written as:
 
 ```
 0000:0000:0000:0000:0000:0000:0000:0001
-```
 
 Or
 
-```
 ::1
 ```
 
-4.  An undetermined IPv6 address i.e. all bits are zero is written as:
+An undetermined IPv6 address i.e. all bits are zero is written as:
 
 ```
 ::
@@ -88,8 +94,8 @@ The *netifcon* statement is used to label network interface objects (e.g.
 eth0) for peer labeling (see the
 [***netif* object class**](object_classes_permissions.md#network-object-classes)).
 
-It is also possible to use the ***semanage**(8)* interface command to associate
-the interface to a security context.
+It is also possible to use the ***semanage**(8)* *interface* command to
+associate the interface to a security context.
 
 **The statement definition is:**
 
@@ -99,54 +105,38 @@ netifcon netif_id netif_context packet_context
 
 **Where:**
 
-<table>
-<tbody>
-<tr>
-<td><code>netifcon</code></td>
-<td>The <code>netifcon</code> keyword.</td>
-</tr>
-<tr>
-<td><code>netif_id</code></td>
-<td>The network interface name (e.g. eth0).</td>
-</tr>
-<tr>
-<td><code>netif_context</code></td>
-<td>The security context allocated to the network interface.</td>
-</tr>
-<tr>
-<td><code>packet_context</code></td>
-<td><p>The security context allocated packets. Note that these are defined but unused.</p>
-<p>The iptables(8)/nftables(8) <a href="network_support.md#packet-controls-secmark">SECMARK services</a> should be used to label packets.</p></td>
-</tr>
-</tbody>
-</table>
+*netifcon*
+
+The *netifcon* keyword.
+
+*netif_id*
+
+The network interface name (e.g. eth0).
+
+*netif_context*
+
+The security context allocated to the network interface.
+
+*packet_context*
+
+The security context allocated packets. Note that these are defined but unused.
+The ***iptables**(8)* / ***nft**(8)*
+[**SECMARK services**](network_support.md#packet-controls-secmark) should be
+used to label packets.
 
 **The statement is valid in:**
 
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy       | Base Policy             | Module Policy           |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes                     | Yes                     | No                      |
+
+Conditional Policy Statements
+
+| *if* Statement          | *optional* Statement    | *require* Statement     |
+| ----------------------- | ----------------------- | ----------------------- |
+| No                      | No                      | No                      |
 
 **Example:**
 
@@ -165,9 +155,9 @@ semanage interface -a -t netif_t eth2
 ```
 
 This command will produce the following file in the default
-&lt;SELINUXTYPE&gt; policy store and then activate the policy:
+\<SELINUXTYPE\> policy store and then activate the policy:
 
-*/var/lib/selinux/&lt;SELINUXTYPE&gt;/active/interfaces.local*:
+*/var/lib/selinux/\<SELINUXTYPE\>/active/interfaces.local*:
 
 ```
 # This file is auto-generated by libsemanage
@@ -185,7 +175,7 @@ labeling (see the
 that represent IPv4 or IPv6 IP addresses and network masks.
 
 It is also possible to add SELinux these outside the policy using the
-***semanage**(8)* 'node' command that will associate the node to a security
+***semanage**(8)* *node* command that will associate the node to a security
 context.
 
 **The statement definition is:**
@@ -196,54 +186,37 @@ nodecon subnet netmask node_context
 
 **Where:**
 
-<table>
-<tbody>
-<tr>
-<td><code>nodecon</code></td>
-<td>The <code>nodecon</code> keyword.</td>
-</tr>
-<tr>
-<td><code>subnet</code></td>
-<td><p>The subnet or specific IP address in IPv4 or IPv6 format.</p>
-<p>Note that the subnet and netmask values are used to ensure that the node_context is assigned to all IP addresses within the subnet range.</p></td>
-</tr>
-<tr>
-<td><code>netmask</code></td>
-<td>The subnet mask in IPv4 or IPv6 format.</td>
-</tr>
-<tr>
-<td><code>node_context<code></td>
-<td>The security context for the node.</td>
-</tr>
-</tbody>
-</table>
+*nodecon*
+
+The *nodecon* keyword.
+
+*subnet*
+
+The subnet or specific IP address in IPv4 or IPv6 format.
+Note that the subnet and netmask values are used to ensure that the
+*node_context* is assigned to all IP addresses within the subnet range.
+
+*netmask*
+
+The subnet mask in IPv4 or IPv6 format.
+
+*node_context*
+
+The security context for the node.
 
 **The statement is valid in:**
 
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy       | Base Policy             | Module Policy           |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes                     | Yes                     | No                      |
+
+Conditional Policy Statements
+
+| *if* Statement          | *optional* Statement    | *require* Statement     |
+| ----------------------- | ----------------------- | ----------------------- |
+| No                      | No                      | No                      |
 
 **Examples:**
 
@@ -267,9 +240,9 @@ semanage node -a -t node_t -p ipv4 -M 255.255.255.255 127.0.0.2
 ```
 
 This command will produce the following file in the default
-&lt;SELINUXTYPE&gt; policy store and then activate the policy:
+\<SELINUXTYPE\> policy store and then activate the policy:
 
-*/var/lib/selinux/&lt;SELINUXTYPE&gt;/active/nodes.local*:
+*/var/lib/selinux/\<SELINUXTYPE\>/active/nodes.local*:
 
 ```
 # This file is auto-generated by libsemanage
@@ -283,7 +256,7 @@ nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0
 The *portcon* statement is used to label udp, tcp, dccp or sctp ports.
 
 It is also possible to add a security context to ports outside the
-policy using the ***semanage**(8)* 'port' command that will associate the port
+policy using the ***semanage**(8)* *port* command that will associate the port
 (or range of ports) to a security context.
 
 **The statement definition is:**
@@ -294,53 +267,35 @@ portcon protocol port_number port_context
 
 **Where:**
 
-<table>
-<tbody>
-<tr>
-<td><code>portcon</code></td>
-<td>The <code>portcon</code> keyword.</td>
-</tr>
-<tr>
-<td><code>protocol</code></td>
-<td>The protocol type. Valid entries are udp, tcp or <em>dccp</em>.</td>
-</tr>
-<tr>
-<td><code>port_number</code></td>
-<td>The port number or range of ports. The ranges are separated by a hyphen (-).</td>
-</tr>
-<tr>
-<td><code>port_context</code></td>
-<td>The security context for the port or range of ports.</td>
-</tr>
-</tbody>
-</table>
+*portcon*
+
+The *portcon* keyword.
+
+*protocol*
+
+The protocol type. Valid entries are udp, tcp or dccp.
+
+*port_number*
+
+The port number or range of ports. The ranges are separated by a hyphen '-'.
+
+*port_context*
+
+The security context for the port or range of ports.
 
 **The statement is valid in:**
 
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy       | Base Policy             | Module Policy           |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes                     | Yes                     | No                      |
+
+Conditional Policy Statements
+
+| *if* Statement          | *optional* Statement    | *require* Statement     |
+| ----------------------- | ----------------------- | ----------------------- |
+| No                      | No                      | No                      |
 
 **Examples:**
 
@@ -361,9 +316,9 @@ semanage port -a -t reserved_port_t -p udp 1234
 ```
 
 This command will produce the following file in the default
-&lt;SELINUXTYPE&gt; policy store and then activate the policy:
+\<SELINUXTYPE\> policy store and then activate the policy:
 
-*/var/lib/selinux/&lt;SELINUXTYPE&gt;/active/ports.local*:
+*/var/lib/selinux/\<SELINUXTYPE\>/active/ports.local*:
 
 ```
 # This file is auto-generated by libsemanage

From patchwork Wed Sep  2 13:17:30 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Richard Haines <richard_c_haines@btinternet.com>
X-Patchwork-Id: 11779517
Return-Path: <SRS0=BB3M=CZ=vger.kernel.org=selinux-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B064F618
	for <patchwork-selinux@patchwork.kernel.org>;
 Wed, 16 Sep 2020 10:04:13 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id E52432220F
	for <patchwork-selinux@patchwork.kernel.org>;
 Wed, 16 Sep 2020 10:04:08 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com
 header.b="LrGlB5KP"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726349AbgIPKEI (ORCPT
        <rfc822;patchwork-selinux@patchwork.kernel.org>);
        Wed, 16 Sep 2020 06:04:08 -0400
Received: from mailomta12-sa.btinternet.com ([213.120.69.18]:34379 "EHLO
        sa-prd-fep-048.btinternet.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1726669AbgIPKEI (ORCPT
        <rfc822;selinux@vger.kernel.org>); Wed, 16 Sep 2020 06:04:08 -0400
Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6])
          by sa-prd-fep-047.btinternet.com with ESMTP
          id
 <20200902131746.ILLU4609.sa-prd-fep-047.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>;
          Wed, 2 Sep 2020 14:17:46 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com;
 s=btmx201904; t=1599052666;
        bh=jTK0IktSsmSWiH2+1y47k1mW/rTfNf57qprk2TR0Z/w=;
        h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version;
        b=LrGlB5KPERpQSDoDIf2wFdoPXDGyDH95egcCR0AR1+4iCjhSZVQVEE3ktcLtrsLVJghhaATy8QSwTJNeW0Cz32Sb7d35naRn4LLHGzqne7mr/8B1bIgiZGIb9mRHK43M7J6X3XHkjylmBNMAqdN3FSmSENMRAIFAqkVJqh61pCOD6EG2yDd/21jeA1VJi8zLeAC1H0qu4YbQ2aRT461lyFPOjfqyB0koP3IXH76G0xlrZU+NXk3GoZsg693e7gletf5EaAAYN6Oow/y+GniRjKASj5OSFl/ljTSGU4Otza+iOBi41teP8CCMfvjr5ZDJ08MvSGE35CNDzZ0AZC1MYw==
Authentication-Results: btinternet.com; none
X-Originating-IP: [109.155.32.197]
X-OWM-Source-IP: 109.155.32.197 (GB)
X-OWM-Env-Sender: richard_c_haines@btinternet.com
X-VadeSecure-score: verdict=clean score=49/300, class=clean
X-RazorGate-Vade: 
 gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecuogfuuhhsphgvtghtffhomhgrihhnucdlgeelmdenucfjughrpefhvffufffkofgjfhggtgfgsehtkeertdertdejnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeehgfegteevgeevueekvdejtdegkeevhfdvuddvueduudetffevtdekteefleeuvdenucffohhmrghinheplhhivhgvjhhouhhrnhgrlhdrtghomhdpihgvthhfrdhorhhgpdhrvgguhhgrthdrtghomhenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggp
        tggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq
X-RazorGate-Vade-Verdict: clean 49
X-RazorGate-Vade-Classification: clean
X-SNCR-hdrdom: btinternet.com
Received: from localhost.localdomain (109.155.32.197) by
 sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as
 richard_c_haines@btinternet.com)
        id 5ED9AFBE0EF36BA7; Wed, 2 Sep 2020 14:17:46 +0100
From: Richard Haines <richard_c_haines@btinternet.com>
To: paul@paul-moore.com, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH 05/13] network_support: Convert to markdown
Date: Wed,  2 Sep 2020 14:17:30 +0100
Message-Id: <20200902131738.18425-6-richard_c_haines@btinternet.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com>
References: <20200902131738.18425-1-richard_c_haines@btinternet.com>
MIME-Version: 1.0
Sender: selinux-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

Add a TOC to aid navigation and convert to markdown.

Moved some text, but no text changes.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/network_support.md | 270 +++++++++++++++++++++--------------------
 1 file changed, 141 insertions(+), 129 deletions(-)

diff --git a/src/network_support.md b/src/network_support.md
index 5faa578..36af1f4 100644
--- a/src/network_support.md
+++ b/src/network_support.md
@@ -1,24 +1,33 @@
 # SELinux Networking Support
 
+- [Packet controls: SECMARK](#packet-controls-secmark)
+- [Packet controls: NetLabel - Fallback Peer Labeling](#packet-controls-netlabel---fallback-peer-labeling)
+- [Packet controls: NetLabel - CIPSO/CALIPSO](#packet-controls-netlabel-cipsocalipso)
+- [Packet controls: Labeled IPSec](#packet-controls-labeled-ipsec)
+- [Packet controls: Access Control for Network Interfaces](#packet-controls-access-control-for-network-interfaces)
+- [Packet controls: Access Control for Network Nodes](#packet-controls-access-control-for-network-nodes)
+- [Socket controls: Access Control for Network Ports](#socket-controls-access-control-for-network-ports)
+- [Labeled Network FileSystem (NFS)](#labeled-network-filesystem-nfs)
+
 SELinux controls network access in the kernel at two locations: at the
 socket interface, and when packets are processed by the protocol
 stacks. Controls at the socket interface are invoked when a task makes
 network related system calls and thus the access permission checks
 mimic the sockets programming interface (e.g. ***bind**(2)*
-vs. `node_bind`). Packet controls are more distant from applications
+vs. *node_bind*). Packet controls are more distant from applications
 and they are invoked whenever any packets are received, forwarded or
 sent.
 
 Packet level controls include:
 
-* Packet labeling with SECMARK: class `packet`
-* Peer labeling with Labeled IPSec or NetLabel: class `peer`
-* Interface control: class `netif`
-* Network node control: class `node`
+- Packet labeling with SECMARK: class *packet*
+- Peer labeling with Labeled IPSec or NetLabel: class *peer*
+- Interface control: class *netif*
+- Network node control: class *node*
 
 Controls at socket interface include:
 
-* TCP/UDP/SCTP/DCCP ports: class `port`
+- TCP/UDP/SCTP/DCCP ports: class *port*
 
 SECMARK is a security extension in Linux network packet processing,
 which allows packets or sessions to be marked with security labels.
@@ -26,7 +35,7 @@ which allows packets or sessions to be marked with security labels.
 NetLabel is a framework for explicit network labeling that abstracts
 away the underlying labeling protocol from the LSMs. Labeled IPsec and
 the NetLabel framework are the current access controls for class
-`peer`, with NetLabel supporting CIPSO for IPv4, CALIPSO for IPv6, and
+*peer*, with NetLabel supporting CIPSO for IPv4, CALIPSO for IPv6, and
 a fallback/static labeling for unlabeled IPv4 and IPv6 networks.
 
 Packet controls can be organized further according to the source of
@@ -37,8 +46,8 @@ managed internally within a single machine (i.e. their labels are not
 transmitted as part of the session with remote systems). There are two
 types supported: SECMARK and NetLabel with the static/fallback
 "protocol". As an example, SECMARK access controls could restrict
-`firefox_t` to talking only to network services on TCP port 80 while
-NetLabel fallback/static rules could restrict `firefox_t` to only
+*firefox_t* to talking only to network services on TCP port 80 while
+NetLabel fallback/static rules could restrict *firefox_t* to only
 receive data from specific IP addresses on a specific network
 interface.
 
@@ -49,10 +58,10 @@ NetLabel/CIPSO (Commercial IP Security Option) and NetLabel/CALIPSO
 (Common Architecture Label IPv6 Security Option). With labeled
 networking, it's possible to compare the security attributes (SELinux
 label) of the sending peer with the security context of the receiving
-peer. A simple example with Labeled IPSec is restricting `firefox_t`
-to talking only to `httpd_t`, while NetLabel/CIPSO & CALIPSO could
-restrict domains with MLS security level `s32` not to talk with
-domains with level `s31`.
+peer. A simple example with Labeled IPSec is restricting *firefox_t*
+to talking only to *httpd_t*, while NetLabel/CIPSO & CALIPSO could
+restrict domains with MLS security level *s32* not to talk with
+domains with level *s31*.
 
 SELinux network access controls are not enabled by default. They can
 be enabled by configuring SECMARK, NetLabel or Labeled IPsec rules, or
@@ -102,11 +111,11 @@ dnf install libreswan
 ```
 
 It is important to note that the kernel must be configured to support
-these services (`CONFIG_NETLABEL`, `CONFIG_NETWORK_SECMARK`,
-`CONFIG_NF_CONNTRACK_SECMARK`,
-`CONFIG_NETFILTER_XT_TARGET_CONNSECMARK`,
-`CONFIG_NETFILTER_XT_TARGET_SECMARK`, `CONFIG_IP_NF_SECURITY`,
-`CONFIG_IP6_NF_SECURITY`). At least Fedora and Debian kernels are
+these services (*CONFIG_NETLABEL*, *CONFIG_NETWORK_SECMARK*,
+*CONFIG_NF_CONNTRACK_SECMARK*,
+*CONFIG_NETFILTER_XT_TARGET_CONNSECMARK*,
+*CONFIG_NETFILTER_XT_TARGET_SECMARK*, *CONFIG_IP_NF_SECURITY*,
+*CONFIG_IP6_NF_SECURITY*). At least Fedora and Debian kernels are
 configured to handle all the above services.
 
 The Linux networking package *iproute* has an SELinux aware socket
@@ -125,7 +134,7 @@ automatically inspects all incoming and outgoing packets and can place
 controls on interfaces, IP addresses (nodes) and ports with the added
 advantage of connection tracking. The SECMARK security extensions allow
 security contexts to be added to packets (SECMARK) or sessions
-(CONNSECMARK), belonging to object class of `packet`.
+(CONNSECMARK), belonging to object class of *packet*.
 
 The NetFilter framework inspects and tag packets with labels as defined
 within ***iptables**(8)* (also 'nftables' ***nft**(8)* from version 9.3 with
@@ -142,16 +151,16 @@ this Notebook, there are tutorials available. The
 **Figure 13: SECMARK Processing** shows the basic structure with the process
 working as follows:
 
--   A table called the *security table* is used to define the parameters
-    that identify and 'mark' packets that can then be tracked as the
-    packet travels through the networking sub-system. These 'marks' are
-    called SECMARK and CONNSECMARK.
--   A SECMARK is placed against a packet if it matches an entry in the
-    security table applying a label that can then be used to enforce
-    policy on the packet.
--   The CONNSECMARK 'marks' all packets within a
-    session<a href="#fnn1" class="footnote-ref" id="fnnet1"><strong><sup>1</sup></strong></a>
-    with the appropriate label that can then be used to enforce policy.
+- A table called the *security table* is used to define the parameters
+  that identify and 'mark' packets that can then be tracked as the
+  packet travels through the networking sub-system. These 'marks' are
+  called SECMARK and CONNSECMARK.
+- A SECMARK is placed against a packet if it matches an entry in the
+  security table applying a label that can then be used to enforce
+  policy on the packet.
+- The CONNSECMARK 'marks' all packets within a
+  session[^fn_ns_1] with the appropriate label that can then be used to
+  enforce policy.
 
 ![](./images/13-secmark.png)
 
@@ -226,7 +235,7 @@ table ip6 security {
 
 Before the SECMARK rules can be loaded, TE rules must be added to
 define the types, and also allow domains to send and/or receive
-objects of `packet` class:
+objects of *packet* class:
 
 ```
 type test_server_packet_t, packet_type;
@@ -235,8 +244,9 @@ allow my_server_t test_server_packet_t:packet { send recv };
 ```
 
 The following articles explain the SECMARK service:
--   [*Transitioning to Secmark*](http://paulmoore.livejournal.com/4281.html)
--   [New secmark-based network controls for SELinux](http://james-morris.livejournal.com/11010.html)
+
+- [*Transitioning to Secmark*](http://paulmoore.livejournal.com/4281.html)
+- [New secmark-based network controls for SELinux](http://james-morris.livejournal.com/11010.html)
 
 ## Packet controls: NetLabel - Fallback Peer Labeling
 
@@ -277,20 +287,19 @@ commands will fail.
 
 Before the NetLabel rules can be loaded, TE rules must be added to
 define the types. Then the rules can allow domains to receive data
-from objects of `peer` class:
+from objects of *peer* class:
 
 ```
 type netlabel_sctp_peer_t;
 
 allow my_server_t netlabel_sctp_peer_t:peer recv;
 ```
-Note that sending can't be controlled with `peer` class.
+Note that sending can't be controlled with *peer* class.
 
 ## Packet controls: NetLabel – CIPSO/CALIPSO
 
 To allow MLS or MCS [**security levels**](mls_mcs.md#security-levels)
-to be passed over a network between MLS or MCS systems<a href="#fnn2"
-class="footnote-ref" id="fnnet2"><strong><sup>2</sup></strong></a>,
+to be passed over a network between MLS or MCS systems[^fn_ns_2],
 the Commercial IP Security Option (CIPSO) protocol is used. This is defined in the
 [**CIPSO Internet Draft**](http://tools.ietf.org/html/draft-ietf-cipso-ipsecurity-01)
 document (this is an obsolete document, however the protocol is still in
@@ -311,11 +320,12 @@ The protocol is configured by the NetLabel service
 ***netlabelctl**(8)* and can be used by other security modules that use
 the LSM infrastructure. The implementation supports:
 
-1.  A non-translation option (Tag Type 1 '**bit mapped**') where labels are
-    passed to / from systems unchanged (for host to host communications as
-    show in **Figure 15**).
--   Note that CALIPSO only supports this option, and an example
-    ***netlabelctl**(8)* command setting a DOI of 16 is:
+1. A non-translation option (Tag Type 1 '**bit mapped**') where labels are
+   passed to / from systems unchanged (for host to host communications as
+   show in **Figure 15**).
+   - Note that CALIPSO only supports this option, and an example
+     ***netlabelctl**(8)* command setting a DOI of 16 is:
+
 ```
 netlabelctl calipso add pass doi:16
 ```
@@ -324,15 +334,15 @@ netlabelctl calipso add pass doi:16
 
 **Figure 15:** - *MLS Systems on the same network*
 
-2.  Allow a maximum of 256 sensitivity levels and 240 categories to be mapped
-    (Tag Type 2 '**enumerated**').
+2. Allow a maximum of 256 sensitivity levels and 240 categories to be mapped
+   (Tag Type 2 '**enumerated**').
 
-3.  A translation option (Tag Type 5 '**range**') where both the sensitivity
-    and category components can be mapped for systems that have either different
-    definitions for labels or information can be exchanged over different
-    networks (for example using an SELinux enabled gateway as a guard as
-    shown in **Figure 16**. An example ***netlabelctl**(8)* command setting
-    a DOI of 8 is: *netlabelctl cipsov4 add pass doi:8 tags:5*
+3. A translation option (Tag Type 5 '**range**') where both the sensitivity
+   and category components can be mapped for systems that have either different
+   definitions for labels or information can be exchanged over different
+   networks (for example using an SELinux enabled gateway as a guard as
+   shown in **Figure 16**. An example ***netlabelctl**(8)* command setting
+   a DOI of 8 is: *netlabelctl cipsov4 add pass doi:8 tags:5*
 
 ![](./images/16-mls2.png)
 
@@ -377,20 +387,18 @@ two systems as part of the channel set-up.*
 
 Basically what happens is as follows:
 
-1.  The security policy database (SPD) defines the security
-    communications characteristics to be used between the two systems.
-    This is populated using the **setkey**(8) or ***ip-xfrm**(8)* commands.
-2.  The SAs have their configuration parameters such as protocols used
-    for securing packets, encryption algorithms and how long the keys
-    are valid held in the Security Association database (SAD). For
-    Labeled IPSec the security context (or labels) is also defined
-    within the SAD. SAs can be negotiated between the two systems using
-    either racoon or
-    pluto<a href="#fnn3" class="footnote-ref" id="fnnet3"><strong><sup>3</sup></strong></a>
-    that will automatically populate the SAD or manually by the setkey utility
-    (see the example below).
-3.  Once the SAs have been negotiated and agreed, the link should be
-    active.
+1. The security policy database (SPD) defines the security
+   communications characteristics to be used between the two systems.
+   This is populated using the **setkey**(8) or ***ip-xfrm**(8)* commands.
+2. The SAs have their configuration parameters such as protocols used
+   for securing packets, encryption algorithms and how long the keys
+   are valid held in the Security Association database (SAD). For
+   Labeled IPSec the security context (or labels) is also defined
+   within the SAD. SAs can be negotiated between the two systems using
+   either racoon or pluto[^fn_ns_3] that will automatically populate the
+   SAD or manually by the setkey utility (see the example below).
+3. Once the SAs have been negotiated and agreed, the link should be
+   active.
 
 A point to note is that SAs are one way only, therefore when two systems
 are communicating (using the above example), one system will have an SA,
@@ -405,26 +413,25 @@ protocol (e.g. ESP (encapsulated security payload) and AH
 The object class used for the association of an SA is association and
 the permissions available are as follows:
 
-<table>
-<tbody>
-<tr>
-<td><code>polmatch</code></td>
-<td>Match the SPD context (-ctx) entry to an SELinux domain (that is contained in the SAD -ctx entry)</td>
-</tr>
-<tr>
-<td><code>recvfrom</code></td>
-<td>Receive from an IPSec association.</td>
-</tr>
-<tr>
-<td><code>sendto</code></td>
-<td>Send to an IPSec association.</td>
-</tr>
-<tr>
-<td><code>setcontext</code></td>
-<td>Set the context of an IPSec association on creation (e.g. when running setkey the process will require this permission to set the context in the SAD and SPD, also racoon / <em>pluto</em> will need this permission to build the SAD).</td>
-</tr>
-</tbody>
-</table>
+*polmatch*
+
+- Match the SPD context (-ctx) entry to an SELinux domain (that is contained
+  in the SAD -ctx entry)
+
+*recvfrom*
+
+- Receive from an IPSec association.
+
+*sendto*
+
+- Send to an IPSec association.
+
+*setcontext*
+
+- Set the context of an IPSec association on creation (e.g. when running
+  ***setkey**(8)* the process will require this permission to set the context
+  in the SAD and SPD, also *racoon* / *pluto* will need this permission to
+  build the SAD).
 
 When running Labeled IPSec it is recommended that the systems use the
 same type/version of policy to avoid any problems with them having
@@ -432,12 +439,11 @@ different meanings.
 
 There are two possible labeled IPSec solutions available on Fedora:
 
--   IPSec Tools - This uses the ***setkey**(8)* tools and ***racoon**(8)*
-Internet Key Exchange (IKE) daemon.
-
--   LibreSwan - This uses ***ipsec**(8)* tools and ***pluto**(8)* Internet
-Key Exchange (IKE) daemon. Note that the Fedora build uses the kernel
-**netkey** services as Libreswan can be built to support other types.
+1. IPSec Tools - This uses the ***setkey**(8)* tools and ***racoon**(8)*
+   Internet Key Exchange (IKE) daemon.
+2. LibreSwan - This uses ***ipsec**(8)* tools and ***pluto**(8)* Internet
+   Key Exchange (IKE) daemon. Note that the Fedora build uses the kernel
+   *netkey* services as Libreswan can be built to support other types.
 
 Both work in much the same way but use different configuration files.
 
@@ -472,7 +478,7 @@ firewall-cmd --add-service ipsec
 
 There are two simple examples in the
 [***notebook-examples/network/ipsec***](notebook-examples/network/README.md)
-section. These use ***setkey**(8)* and  commands directly
+section. These use ***setkey**(8)* and commands directly
 and therefore do not require the IKE daemons.
 
 The ***ip-xfrm**(8)* example:
@@ -500,31 +506,11 @@ article and a good reference covering **Basic Labeled IPsec Configuration**
 available at:
 <http://www.redhat.com/archives/redhat-lspp/2006-November/msg00051.html>
 
-## Labeled Network FileSystem (NFS)
-
-Version 4.2 of NFS supports labeling between client/server and requires
-the ***exports**(5)* / ***exportfs**(8)* '*security_label*' option to
-be set:
-
-```
-exportfs -o rw,no_root_squash,security_label localhost:$MOUNT
-```
-
-Labeled NFS requires kernel 3.14 and the following package installed:
-
-```
-dnf install nfs-utils
-```
-
-Labeled NFS clients must use a consistent security policy.
-
-The *selinux-testsuite tools/nfs.sh* tests labeled NFS using various labels.
-
 ## Packet controls: Access Control for Network Interfaces
 
 SELinux domains can be restricted to use only specific network
 interfaces. TE rules must define the interface types and then allow a
-domain to `egress` in class `netif` for the defined interface types:
+domain to *egress* in class *netif* for the defined interface types:
 
 ```
 require {
@@ -540,13 +526,14 @@ allow my_server_t loopback_if_t:netif egress;
 ```
 
 The interfaces must also be labeled with ***semanage**(8)* (or by
-using `netifcon` statements in the policy):
+using *netifcon* statements in the policy):
+
 ```
 semanage interface -a -t loopback_if_t -r s0 lo
 semanage interface -a -t external_if_t -r s0 eth0
 ```
 
-The checks for `ingress` in class `netif` however use the peer label
+The checks for *ingress* in class *netif* however use the peer label
 of the remote peer (not the receiving task on the local system) as
 subject:
 
@@ -569,9 +556,9 @@ Domains can be restricted by SELinux to access and bind sockets to
 only dedicated network nodes (in practice, IP addresses).
 
 The node types must be defined and then the node types can be used for
-TE rules as target context. TE rules to allow a domain to `sendto` for
-class `node` and to `node_bind` (for incoming connections) for class
-`tcp_socket`:
+TE rules as target context. TE rules to allow a domain to *sendto* for
+class *node* and to *node_bind* (for incoming connections) for class
+*tcp_socket*:
 
 ```
 require {
@@ -591,7 +578,8 @@ allow my_server_t internet_node_t:node sendto;
 ```
 
 After the types have been defined, corresponding node rules can be
-added with `semanage` (or `nodecon` statements):
+added with *semanage* (or *nodecon* statements):
+
 ```
 semanage node -a -M /128 -p ipv6 -t loopback_node_t -r s0 ::1
 semanage node -a -M /3 -p ipv6 -t internet_node_t -r s0 2000::
@@ -599,7 +587,7 @@ semanage node -a -M /8 -p ipv6 -t link_local_node_t -r s0 fe00::
 semanage node -a -M /8 -p ipv6 -t multicast_node_t -r s0 ff00::
 ```
 
-The checks for `recvfrom` in class `node` however use the peer label
+The checks for *recvfrom* in class *node* however use the peer label
 as subject:
 
 ```
@@ -614,12 +602,12 @@ packet level controls, port controls are close to how networked
 applications use the socket system calls. Thus the controls typically
 involve checking if a task can perform an operation on a network
 socket, e.g. ***bind**(2)* would cause an access check for
-`node_bind`. These are usually easy to understand and don't require
+*node_bind*. These are usually easy to understand and don't require
 any special network configuration.
 
 TE rules must define the port types and then allow a domain to
-`name_connect` (outgoing) or `name_bind` (incoming) in class
-`tcp_socket` (or `udp_socket` etc) for the defined port types:
+*name_connect* (outgoing) or *name_bind* (incoming) in class
+*tcp_socket* (or *udp_socket* etc) for the defined port types:
 
 ```
 require {
@@ -633,19 +621,43 @@ allow my_server_t my_server_port_t:tcp_socket name_connect;
 allow my_server_t my_server_port_t:tcp_socket name_bind;
 ```
 
-The ports must also be labeled with `semanage` (or `portcon`
+The ports must also be labeled with *semanage* (or *portcon*
 statements):
 ```
 semanage port -a -t my_server_port_t -p tcp -r s0 12345
 ```
 
-<section class="footnotes">
-<ol>
-<li id="fnn1"><p>For example, an ftp session where the server is listening on a specific port (the destination port) but the client will be assigned a random source port. The CONNSECMARK will ensure that all packets for the ftp session are marked with the same label.<a href="#fnnet1" class="footnote-back">↩</a></p></li>
-<li id="fnn2"><p>Note only the security levels are passed over the network as the other components of the security context are not part of standard MLS systems (as it may be that the remote end is a Trusted Solaris system).<a href="#fnnet2" class="footnote-back">↩</a></p></li>
-<li id="fnn3"><p>These are the Internet Key Exchange (IKE) daemons that exchange encryption keys securely and also supports Labeled IPSec parameter exchanges.<a href="#fnnet3" class="footnote-back">↩</a></p></li>
-</ol>
-</section>
+## Labeled Network FileSystem (NFS)
+
+Version 4.2 of NFS supports labeling between client/server and requires
+the ***exports**(5)* / ***exportfs**(8)* '*security_label*' option to
+be set:
+
+```
+exportfs -o rw,no_root_squash,security_label localhost:$MOUNT
+```
+
+Labeled NFS requires kernel 3.14 and the following package installed:
+
+```
+dnf install nfs-utils
+```
+
+Labeled NFS clients must use a consistent security policy.
+
+The *selinux-testsuite tools/nfs.sh* tests labeled NFS using various labels.
+
+[^fn_ns_1]: For example, an ftp session where the server is listening on a
+specific port (the destination port) but the client will be assigned a random
+source port. The *CONNSECMARK* will ensure that all packets for the ftp session
+are marked with the same label.
+
+[^fn_ns_2]: Note only the security levels are passed over the network as the
+other components of the security context are not part of standard MLS systems
+(as it may be that the remote end is a Trusted Solaris system)
+
+[^fn_ns_3]: These are the Internet Key Exchange (IKE) daemons that exchange
+encryption keys securely and also supports Labeled IPSec parameter exchanges.
 
 <!-- %CUTHERE% -->
 

From patchwork Wed Sep  2 13:17:31 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Richard Haines <richard_c_haines@btinternet.com>
X-Patchwork-Id: 11777901
Return-Path: <SRS0=vGri=CY=vger.kernel.org=selinux-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 92336618
	for <patchwork-selinux@patchwork.kernel.org>;
 Tue, 15 Sep 2020 22:04:17 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 3B45720809
	for <patchwork-selinux@patchwork.kernel.org>;
 Tue, 15 Sep 2020 22:04:17 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com
 header.b="posrajiv"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728122AbgIOWEM (ORCPT
        <rfc822;patchwork-selinux@patchwork.kernel.org>);
        Tue, 15 Sep 2020 18:04:12 -0400
Received: from mailomta17-sa.btinternet.com ([213.120.69.23]:61355 "EHLO
        sa-prd-fep-040.btinternet.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1728037AbgIOWDP (ORCPT
        <rfc822;selinux@vger.kernel.org>); Tue, 15 Sep 2020 18:03:15 -0400
Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6])
          by sa-prd-fep-040.btinternet.com with ESMTP
          id
 <20200902131747.LIKU5290.sa-prd-fep-040.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>;
          Wed, 2 Sep 2020 14:17:47 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com;
 s=btmx201904; t=1599052667;
        bh=mRFlu6AUIRasfGcfogtV+u9I3+Thj9E7BIG8PWv387o=;
        h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version;
        b=posrajivUdrIEi7KLAHHLXcWQkUc/CLO40/y59UyjX7QR5dCry0801gBJ90YcziIvWDp4TGU8FJu31EYdK5MY5TGlYVS/QULdk7wjeJY3aHRi7zM4vRddUxbnp6y48e54Ck86Tz7NCOzdrxMwYh9/gEfW6mBQu0e5cEtr3xCYZxoXpDy4aZm+4C9BJTV4GiJRT3ADCrpqELD28hlasa9vR23f4ZGMq+paixJQ/YSs0Ec93bQYxptfCTMB18h5UTDNy1zq03OFGFsD+A+jvog49my8GEi5wmUNuB/v261HN3ZqzroyvqS9NUjY2kzH5rmyKsVZpos2m0wUoWl7eWlPQ==
Authentication-Results: btinternet.com; none
X-Originating-IP: [109.155.32.197]
X-OWM-Source-IP: 109.155.32.197 (GB)
X-OWM-Env-Sender: richard_c_haines@btinternet.com
X-VadeSecure-score: verdict=clean score=0/300, class=clean
X-RazorGate-Vade: 
 gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfgggtgfesthekredtredtjeenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnhepgfekgffghffgleekgfellefftedvhfejveehhfekkefgvdehueetgfffffelkedtnecukfhppedutdelrdduheehrdefvddrudeljeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopehlohgtrghlhhhoshhtrdhlohgtrghlughomhgrihhnpdhinhgvthepuddtledrudehhedrfedvrdduleejpdhmrghilhhfrhhomhepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqedprhgtphhtthhopeeophgruhhlsehprghulhdqmhhoohhrvgdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuqfftvefrvfeprhhftgekvddvnehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepoehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhgqe
X-RazorGate-Vade-Verdict: clean 0
X-RazorGate-Vade-Classification: clean
X-SNCR-hdrdom: btinternet.com
Received: from localhost.localdomain (109.155.32.197) by
 sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as
 richard_c_haines@btinternet.com)
        id 5ED9AFBE0EF36BC0; Wed, 2 Sep 2020 14:17:47 +0100
From: Richard Haines <richard_c_haines@btinternet.com>
To: paul@paul-moore.com, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH 06/13] objects: Convert to markdown
Date: Wed,  2 Sep 2020 14:17:31 +0100
Message-Id: <20200902131738.18425-7-richard_c_haines@btinternet.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com>
References: <20200902131738.18425-1-richard_c_haines@btinternet.com>
MIME-Version: 1.0
Sender: selinux-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

Add a TOC to aid navigation and convert to markdown.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/objects.md | 185 +++++++++++++++++++++++++------------------------
 1 file changed, 95 insertions(+), 90 deletions(-)

diff --git a/src/objects.md b/src/objects.md
index 09c77f3..8762cb9 100644
--- a/src/objects.md
+++ b/src/objects.md
@@ -1,5 +1,13 @@
 # Objects
 
+- [Object Classes and Permissions](#object-classes-and-permissions)
+- [Allowing a Process Access to Resources](#allowing-a-process-access-to-resources)
+- [Labeling Objects](#labeling-objects)
+  - [Labeling Extended Attribute Filesystems](#labeling-extended-attribute-filesystems)
+    - [Copying and Moving Files](#copying-and-moving-files)
+- [Labeling Subjects](#labeling-subjects)
+- [Object Reuse](#object-reuse)
+
 Within SELinux an object is a resource such as files, sockets, pipes or
 network interfaces that are accessed via processes (also known as
 subjects). These objects are classified according to the resource they
@@ -11,8 +19,8 @@ in the following sections.
 ## Object Classes and Permissions
 
 Each object consists of a class identifier that defines its purpose
-(e.g. file, socket) along with a set of permissions (Also known in SELinux
-as Access Vectors (AV)) that describe what services the object can handle
+(e.g. file, socket) along with a set of permissions (also known as Access
+Vectors (AV)) that describe what services the object can handle
 (read, write, send etc.).
 When an object is instantiated it will be allocated a name (e.g. a file
 could be called config or a socket my_connection) and a security
@@ -23,7 +31,7 @@ context (e.g. *system_u:object_r:selinux_config_t*) as shown in
 
 **Figure 5: Object Class = 'file' and permissions** - *the policy rules would
 define those permissions allowed for each process that needs access to
-the */etc/selinux/config* file.*
+the /etc/selinux/config file.*
 
 The objective of the policy is to enable the user of the object (the
 subject) access to the minimum permissions needed to complete the task
@@ -45,9 +53,9 @@ permissions are described in
 
 This is a simple example that attempts to explain two points:
 
-1.  How a process is given permission to use an objects resource.
-2.  By using the *process* object class, show that a process can be
-    described as a process or object.
+1. How a process is given permission to use an objects resource.
+2. By using the *process* object class, show that a process can be
+   described as a process or object.
 
 An SELinux policy contains many rules and statements, the majority of
 which are *allow* rules that (simply) allows processes to be given
@@ -66,36 +74,35 @@ allow        unconfined_t    ext_gateway_t :  process  transition;
 
 Where:
 
-<table>
-<tbody>
-<tr>
-<td>allow</td>
-<td>The SELinux language allow rule.</td>
-</tr>
-<tr>
-<td>unconfined_t</td>
-<td>The source domain (or subject) identifier - in this case the shell that wants to exec the gateway application.</td>
-</tr>
-<tr>
-<td>ext_gateway_t</td>
-<td>The target object identifier - the object instance of the gateway application process. </td>
-</tr>
-<tr>
-<td>process</td>
-<td>The target object class - the *process* object class.</td>
-</tr>
-<tr>
-<td>transition</td>
-<td>The permission granted to the source domain on the targets object - in this case the *unconfined_t* domain has transition permission on the *ext_gateway_t* *process* object.</td>
-</tr>
-</tbody>
-</table>
+*allow*
+
+- The SELinux language *allow* rule.
+
+*unconfined_t*
+
+- The source domain (or subject) identifier - in this case the shell that
+  wants to *exec* the gateway application.
+
+*ext_gateway_t*
+
+- The target object identifier - the object instance of the gateway
+  application process.
+
+*process*
+
+- The target object class - the *process* object class.
+
+*transition*
+
+- The permission granted to the source domain on the targets object - in this
+  case the *unconfined_t* domain has transition permission on the
+  *ext_gateway_t process* object.
 
 ![](./images/6-allow-rule.png)
 
 **Figure 6: The *allow* rule** - *Showing that the subject (the processes
-running in the *unconfined_t* domain) has been given the transition
-permission on the *ext_gateway_t* *process* object.*
+running in the unconfined_t domain) has been given the transition
+permission on the ext_gateway_t process object.*
 
 It should be noted that there is more to a domain transition than
 described above, for a more detailed explanation, see the
@@ -108,28 +115,28 @@ objects is managed by the system and generally unseen by the users
 (until labeling goes wrong !!). As processes and objects are created and
 destroyed, they either:
 
-1.  Inherit their labels from the parent process or object. The policy
-    default user, type, role and range statements can be used to
-	change the behavior as discussed in the [**Default Rules**](default_rules.md#default-object-rules)
-    section.
-2.  The policy type, role and range transition statements allow a
-    different label to be assigned as discussed in the
-    [**Domain and Object Transitions**](domain_object_transitions.md#domain-and-object-transitions)
-    section.
-3.  SELinux-aware applications can assign a new label (with the
-    policy's approval of course) using the **libselinux** API
-    functions. The `process setfscreate` permission can be used to
-    allow subjects to create files with a new label programmatically
-    using the ***setfscreatecon**(3)* function, overriding default
-    rules and transition statements.
-4.  An object manager (OM) can enforce a default label that can either
-    be built into the OM or obtained via a configuration file (such as
-    those used by
-    [**SELinux X-Windows Support**](x_windows.md#x-windows-selinux-support).
-5.  Use an '[**initial security identifier**](sid_statement.md#security-id-sid-statement)'
-    (or initial SID). These are defined in all policies and are used to either
-    set an initial context during the boot process, or if an object requires
-    a default (i.e. the object does not already have a valid context).
+1. Inherit their labels from the parent process or object. The policy
+   default user, type, role and range statements can be used to
+   change the behavior as discussed in the [**Default Rules**](default_rules.md#default-object-rules)
+   section.
+2. The policy type, role and range transition statements allow a
+   different label to be assigned as discussed in the
+   [**Domain and Object Transitions**](domain_object_transitions.md#domain-and-object-transitions)
+   section.
+3. SELinux-aware applications can assign a new label (with the
+   policy's approval of course) using the **libselinux** API
+   functions. The *process { setfscreate }* permission can be used to
+   allow subjects to create files with a new label programmatically
+   using the ***setfscreatecon**(3)* function, overriding default
+   rules and transition statements.
+4. An object manager (OM) can enforce a default label that can either
+   be built into the OM or obtained via a configuration file (such as
+   those used by
+   [**SELinux X-Windows Support**](x_windows.md#x-windows-selinux-support).
+5. Use an '[**initial security identifier**](sid_statement.md#security-id-sid-statement)'
+   (or initial SID). These are defined in all policies and are used to either
+   set an initial context during the boot process, or if an object requires
+   a default (i.e. the object does not already have a valid context).
 
 The [**Computing Security Contexts**](computing_security_contexts.md#computing-security-contexts)
 section gives detail on how some of the kernel based objects are computed.
@@ -149,26 +156,24 @@ section.
 ### Labeling Extended Attribute Filesystems
 
 The labeling of file systems that implement extended
-attributes<a href="#fno1" class="footnote-ref" id="fnobj1"><strong><sup>1</sup></strong></a>
-is supported by SELinux using:
-
-1.  The *fs_use_xattr* statement within the policy to identify what
-    filesystems use extended attributes. This statement is used to
-    inform the security server how to label the filesystem.
-2.  A 'file contexts' file that defines what the initial contexts should
-    be for each file and directory within the filesystem. The format of
-    this file and how it is built from source policy is described in the
-    [**Policy Store Configuration Files - Building the File Labeling Support Files**](policy_store_config_files.md#building-the-file-labeling-support-files)<a href="#fno2" class="footnote-ref" id="fnobj2"><strong><sup>2</sup></strong></a>
-    section.
-
-3.  A method to initialise the filesystem with these extended
-    attributes. This is achieved by SELinux utilities such as
-    ***fixfiles**(8)* and ***setfiles**(8)*. There are also commands such as
-    ***chcon**(1)*, ***restorecon**(8)* and ***restorecond**(8)* that can be
-    used to relabel files.
+attributes[^fn_objs_1] is supported by SELinux using:
+
+1. The *fs_use_xattr* statement within the policy to identify what
+   filesystems use extended attributes. This statement is used to
+   inform the security server how to label the filesystem.
+2. A 'file contexts' file that defines what the initial contexts should
+   be for each file and directory within the filesystem. The format of
+   this file and how it is built from source policy is described in the
+   [**Policy Store Configuration Files - Building the File Labeling Support Files**](policy_store_config_files.md#building-the-file-labeling-support-files)[^fn_objs_2]
+   section.
+3. A method to initialise the filesystem with these extended
+   attributes. This is achieved by SELinux utilities such as
+   ***fixfiles**(8)* and ***setfiles**(8)*. There are also commands such as
+   ***chcon**(1)*, ***restorecon**(8)* and ***restorecond**(8)* that can be
+   used to relabel files.
 
 Extended attributes containing the SELinux context of a file can be
-viewed by the ls -Z or ***getfattr**(1)* commands as follows:
+viewed by the *ls -Z* or ***getfattr**(1)* commands as follows:
 
 ```
 ls -Z myfile
@@ -191,8 +196,8 @@ Assuming that the correct permissions have been granted by the policy,
 the effects on the security context of a file when copied or moved
 differ as follows:
 
--   copy a file - takes on label of new directory.
--   move a file - retains the label of the file.
+- copy a file - takes on label of new directory.
+- move a file - retains the label of the file.
 
 However, if the ***restorecond**(8)* daemon is running and the
 [**restorecond.conf**](global_config_files.md#etcselinuxrestorecond.conf)
@@ -262,26 +267,26 @@ discussed in the
 The policy language supports a number of statements to assign components
 to security contexts such as:
 
-*user*, *role* and *type* statements.
+- *user*, *role* and *type* statements.
 
-and manage their scope:
+and to manage their scope:
 
-*role_allow* and *constrain*
+- *role_allow* and *constrain*
 
-and manage their transition:
+and to manage their transition:
 
-*type_transition*, *role_transition* and *range_transition*
+- *type_transition*, *role_transition* and *range_transition*
 
 SELinux-aware applications can assign a new label (with the policy's
 approval of course) using the **libselinux** API functions. The
-`process setexec`, `process setkeycreate` and `process setsockcreate`
+*process { setexec setkeycreate setsockcreate }*
 permissions can be used to allow subjects to label processes,
 kernel keyrings, and sockets programmatically using the
 ***setexec**(3)*, ***setkeycreatecon**(3)* and
 ***setsockcreatecon**(3)* functions respectively, overriding
 transition statements.
 
-The `kernel` **initial security identifier** is used to associate
+The *kernel* **initial security identifier** is used to associate
 a specified label with kernel objects, including kernel threads
 (both those that are created during initialization but also kernel
 threads created later), kernel-private sockets and synthetic objects
@@ -293,7 +298,7 @@ either a policy-defined transition or an explicit setcon or
 setexeccon+execve, but that's just the typical default inheritance
 from creating task behavior for processes.
 
-The context associated with the `unlabeled`
+The context associated with the *unlabeled*
 **initial security identifier** is used as the fallback context for
 both subjects and objects when their label is invalidated by a policy
 reload (their SID is unchanged but the SID is transparently remapped
@@ -302,7 +307,7 @@ for various objects e.g. inodes, superblocks, etc until they reach a
 point where a more specific label can be determined e.g. from an
 xattr or from policy.
 
-### Object Reuse
+## Object Reuse
 
 As GNU / Linux runs it creates instances of objects and manages the
 information they contain (read, write, modify etc.) under the control of
@@ -319,13 +324,13 @@ process itself should clear or shred the information before releasing
 the object (which can be difficult in some cases unless the source code
 is available).
 
-<section class="footnotes">
-<ol>
-<li id="fno1"><p>These file systems store the security context in an attribute
-associated with the file.<a href="#fnobj1" class="footnote-back">↩</a></p></li>
-<li id="fno2"><p>Note that this file contains the contexts of all files in all extended attribute filesystems for the policy. However within a modular policy (and/or CIL modules) each module describes its own file context information, that is then used to build this file.<a href="#fnobj2" class="footnote-back">↩</a></p></li>
-</ol>
-</section>
+[^fn_objs_1]: These file systems store the security context in an attribute
+associated with the file.
+
+[^fn_objs_2]: Note that this file contains the contexts of all files in all
+extended attribute filesystems for the policy. However within a modular policy
+(and/or CIL modules) each module describes its own file context information,
+that is then used to build this file.
 
 <!-- %CUTHERE% -->
 

From patchwork Wed Sep  2 13:17:32 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Richard Haines <richard_c_haines@btinternet.com>
X-Patchwork-Id: 11955567
Return-Path: <selinux-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,
	INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,
	USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1855BC1B0D9
	for <selinux@archiver.kernel.org>; Mon,  7 Dec 2020 11:44:22 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id E625623340
	for <selinux@archiver.kernel.org>; Mon,  7 Dec 2020 11:44:21 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726961AbgLGLnw (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Mon, 7 Dec 2020 06:43:52 -0500
Received: from mailomta6-sa.btinternet.com ([213.120.69.12]:33966 "EHLO
        sa-prd-fep-040.btinternet.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1726254AbgLGLnw (ORCPT
        <rfc822;selinux@vger.kernel.org>); Mon, 7 Dec 2020 06:43:52 -0500
Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6])
          by sa-prd-fep-041.btinternet.com with ESMTP
          id
 <20200902131747.DGWH19995.sa-prd-fep-041.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>;
          Wed, 2 Sep 2020 14:17:47 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com;
 s=btmx201904; t=1599052667;
        bh=za9FuHt0NlwXmDC39YdY/XeXg1bmc5I+Rp2nRv8pYq0=;
        h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version;
        b=NYWVQ0IDGmox3G/m9MIhqYtRALIZOqn+u0RGfMCpZo3BQblDWtwgGQRoLOjwcTpsNrqMx5fN19sMg5IE6ubDihiU9C3jxx/m/H8YzDUM+O8j+K+eQLpbVxJv/V3/mK1J0Ns1aOSXZDtvsLitQh25+CGFL0T8iAZfybGTKUmaamndNWXFVyf5mwwLDh8EbA5V1JmyipR7IMX/CwtkDlfeLiNqemp6ogf5FpnILl/Atw/rRELNds8mrzGjij3Y0Ol+sAPY+2Yib2kf1gNcKa3JayAkfF5di7e5NLH1Iow6zsM1qm1NzXAg9rs9fzlDZXF6A6s8pXmrVWhY5C/bk2meWA==
Authentication-Results: btinternet.com; none
X-Originating-IP: [109.155.32.197]
X-OWM-Source-IP: 109.155.32.197 (GB)
X-OWM-Env-Sender: richard_c_haines@btinternet.com
X-VadeSecure-score: verdict=clean score=0/300, class=clean
X-RazorGate-Vade: 
 gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq
X-RazorGate-Vade-Verdict: clean 0
X-RazorGate-Vade-Classification: clean
X-SNCR-hdrdom: btinternet.com
Received: from localhost.localdomain (109.155.32.197) by
 sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as
 richard_c_haines@btinternet.com)
        id 5ED9AFBE0EF36BCB; Wed, 2 Sep 2020 14:17:47 +0100
From: Richard Haines <richard_c_haines@btinternet.com>
To: paul@paul-moore.com, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH 07/13] pam_login: Convert to markdown
Date: Wed,  2 Sep 2020 14:17:32 +0100
Message-Id: <20200902131738.18425-8-richard_c_haines@btinternet.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com>
References: <20200902131738.18425-1-richard_c_haines@btinternet.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

Convert to markdown.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/pam_login.md | 107 +++++++++++++++++++++++++----------------------
 1 file changed, 56 insertions(+), 51 deletions(-)

diff --git a/src/pam_login.md b/src/pam_login.md
index 08e1599..2b30bff 100644
--- a/src/pam_login.md
+++ b/src/pam_login.md
@@ -4,21 +4,18 @@ Applications used to provide login services (such as ***ssh**(1)*) in
 Fedora use the PAM (Pluggable Authentication Modules) infrastructure to
 provide the following services:
 
--   **Account Management** - This manages services such as password expiry,
-service entitlement (i.e. what services the login process is allowed to
-access).
-
--   **Authentication Management** - Authenticate the user or subject and set
-up the credentials. PAM can handle a variety of devices including
-smart-cards and biometric devices.
-
--   **Password Management** - Manages password updates as needed by the
-specific authentication mechanism being used and the password policy.
-
--   **Session Management** - Manages any services that must be invoked
-before the login process completes and / or when the login process
-terminates. For SELinux this is where hooks are used to manage the
-domains the subject may enter.
+- **Account Management** - This manages services such as password expiry,
+  service entitlement (i.e. what services the login process is allowed to
+  access).
+- **Authentication Management** - Authenticate the user or subject and set
+  up the credentials. PAM can handle a variety of devices including
+  smart-cards and biometric devices.
+- **Password Management** - Manages password updates as needed by the
+  specific authentication mechanism being used and the password policy.
+- **Session Management** - Manages any services that must be invoked
+  before the login process completes and / or when the login process
+  terminates. For SELinux this is where hooks are used to manage the
+  domains the subject may enter.
 
 The ***pam**(8)* and ***pam.conf**(5)* *man* pages describe the services and
 configuration in detail and only a summary is provided here covering the
@@ -43,32 +40,40 @@ service type control module-path arguments
 
 **Where:**
 
-<table>
-<tbody>
-<tr>
-<td>service</td>
-<td>The service name such as <em>gdm</em> and <em>login</em> reflecting the login application. If there is a <em>/etc/pam.d</em> directory, then this is the name of a configuration file name under this directory. Alternatively, a configuration file called <em>/etc/pam.conf</em> can be used. Fedora uses the <em>/etc/pam.d</em> configuration.</td>
-</tr>
-<tr>
-<td>type</td>
-<td>These are the management groups used by PAM with valid entries being: <em>account</em>, <em>auth</em>, <em>password</em> and <em>session</em> that correspond to the descriptions given above. Where there are multiple entries of the same '<em>type</em>', the order they appear could be significant.</td>
-</tr>
-<tr>
-<td>control</td>
-<td><p>This entry states how the module should behave when the requested task fails. There can be two formats: a single keyword such as <em>required</em>, <em>optional</em>, and <em>include</em>; or multiple space separated entries enclosed in square brackets consisting of :</p>
-<p>  [value1=action1 value2=action2 ..]</p>
-<p>Both formats are shown in the example file below, however see the <em><strong>pam.conf</strong>(5)</em> man pages for the gory details. </p></td>
-</tr>
-<tr>
-<td>module-path</td>
-<td>Either the full path name of the module or its location relative to <em>/lib/security</em> (but does depend on the system architecture).</td>
-</tr>
-<tr>
-<td>arguments</td>
-<td>A space separated list of the arguments that are defined for the module.</td>
-</tr>
-</tbody>
-</table>
+*service*
+
+- The service name such as *gdm* and *login* reflecting the login application.
+  If there is a */etc/pam.d* directory, then this is the name of a
+  configuration file name under this directory. Alternatively, a
+  configuration file called */etc/pam.conf* can be used. Fedora uses the
+  */etc/pam.d* configuration.
+
+*type*
+
+- These are the management groups used by PAM with valid entries being:
+  *account*, *auth*, *password* and *session* that correspond to the
+  descriptions given above. Where there are multiple entries of the same
+   '*type*', the order they appear could be significant.
+
+*control*
+
+- This entry states how the module should behave when the requested task
+  fails. There can be two formats: a single keyword such as *required*,
+  *optional*, and *include*; or multiple space separated entries enclosed in
+  square brackets consisting of (see the ***pam.conf**(5)* man pages):
+
+```
+[value1=action1 value2=action2 ..]
+```
+
+*module-path*
+
+- Either the full path name of the module or its location relative to
+  */lib/security* (but does depend on the system architecture).
+
+*arguments*
+
+- A space separated list of the arguments that are defined for the module.
 
 The */etc/pam.d/sshd* PAM configuration file for the OpenSSH
 service is as follows:
@@ -99,17 +104,17 @@ the *libselinux* API to obtain its configuration information and the
 three SELinux PAM entries highlighted in the above configuration file
 perform the following functions:
 
--   ***pam_sepermit.so*** - Allows pre-defined users the ability to
-    logon provided that SELinux is in enforcing mode (see the
-    [*/etc/security/sepermit.conf*](global_config_files.md#etcsecuritysepermit.conf)
-    section).
--   ***pam_selinux.so open*** - Allows a security context to be set up for
-    the user at initial logon (as all programs exec'ed from here will use
-    this context). How the context is retrieved is described in the
-    [***Policy Configuration Files** - seusers*](policy_config_files.md#seusers)
-    section.
+- ***pam_sepermit.so*** - Allows pre-defined users the ability to
+  logon provided that SELinux is in enforcing mode (see the
+  [*/etc/security/sepermit.conf*](global_config_files.md#etcsecuritysepermit.conf)
+  section).
+- ***pam_selinux.so open*** - Allows a security context to be set up for
+  the user at initial logon (as all programs exec'ed from here will use
+  this context). How the context is retrieved is described in the
+  [***Policy Configuration Files** - seusers*](policy_config_files.md#seusers)
+  section.
 -   ***pam_selinux.so close*** - This will reset the login programs context
-    to the context defined in the policy.
+  to the context defined in the policy.
 
 <!-- %CUTHERE% -->
 

From patchwork Wed Sep  2 13:17:33 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Richard Haines <richard_c_haines@btinternet.com>
X-Patchwork-Id: 11778661
Return-Path: <SRS0=BB3M=CZ=vger.kernel.org=selinux-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A2860746
	for <patchwork-selinux@patchwork.kernel.org>;
 Wed, 16 Sep 2020 01:23:56 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 552A821D24
	for <patchwork-selinux@patchwork.kernel.org>;
 Wed, 16 Sep 2020 01:23:56 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com
 header.b="J0kOAdn4"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726312AbgIPBXz (ORCPT
        <rfc822;patchwork-selinux@patchwork.kernel.org>);
        Tue, 15 Sep 2020 21:23:55 -0400
Received: from mailomta29-sa.btinternet.com ([213.120.69.35]:38077 "EHLO
        sa-prd-fep-043.btinternet.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1726023AbgIPBXy (ORCPT
        <rfc822;selinux@vger.kernel.org>); Tue, 15 Sep 2020 21:23:54 -0400
Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6])
          by sa-prd-fep-046.btinternet.com with ESMTP
          id
 <20200902131747.DQEY4114.sa-prd-fep-046.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>;
          Wed, 2 Sep 2020 14:17:47 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com;
 s=btmx201904; t=1599052667;
        bh=4H56Ju7m00EEie3KnnXKakippHv7ralv9RWMynRA9Gk=;
        h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version;
        b=J0kOAdn4fYkcoNkqUmEgapX4BdFwT80nLlTjqMIWMSHp7xaPeH2iJ8NbH7VH2fZzaK28Ih25NIapLvRmcf22s1US/ncAQBBQxFkr05VwXM6ZRbRh20ctVwitUyim5whWKefENnkK+ZGow5E+0hcNay3VGyuJxvF4tAQZgykqxQ6Ooi5q0zKf2Mi5tIV58bJamISJLCcKi98JKpOkz3taHmZ+gz3F+sM1Y3Y59rq7gNnBk3e7O+P74pwsZsRJJYRQjsL/GO1yAOOwMaecpz7m+mCnOrWGuWs1TI+QMmA5ph+QnwNlb+KOq8lyf/+uR+yZFtZnpw2HcG96yCa1fujG+w==
Authentication-Results: btinternet.com; none
X-Originating-IP: [109.155.32.197]
X-OWM-Source-IP: 109.155.32.197 (GB)
X-OWM-Env-Sender: richard_c_haines@btinternet.com
X-VadeSecure-score: verdict=clean score=0/300, class=clean
X-RazorGate-Vade: 
 gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq
X-RazorGate-Vade-Verdict: clean 0
X-RazorGate-Vade-Classification: clean
X-SNCR-hdrdom: btinternet.com
Received: from localhost.localdomain (109.155.32.197) by
 sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as
 richard_c_haines@btinternet.com)
        id 5ED9AFBE0EF36BD1; Wed, 2 Sep 2020 14:17:47 +0100
From: Richard Haines <richard_c_haines@btinternet.com>
To: paul@paul-moore.com, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH 08/13] policy_config_statements: Convert to markdown
Date: Wed,  2 Sep 2020 14:17:33 +0100
Message-Id: <20200902131738.18425-9-richard_c_haines@btinternet.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com>
References: <20200902131738.18425-1-richard_c_haines@btinternet.com>
MIME-Version: 1.0
Sender: selinux-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

Convert to markdown

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/policy_config_statements.md | 54 +++++++++++----------------------
 1 file changed, 18 insertions(+), 36 deletions(-)

diff --git a/src/policy_config_statements.md b/src/policy_config_statements.md
index 156b434..d4eee48 100644
--- a/src/policy_config_statements.md
+++ b/src/policy_config_statements.md
@@ -16,45 +16,27 @@ policycap capability;
 
 **Where:**
 
-<table>
-<tbody>
-<tr>
-<td><code>policycap</code></td>
-<td>The <code>policycap</code> keyword.</td>
-</tr>
-<tr>
-<td><code>capability</code></td>
-<td>A single <code>capability</code> identifier that will be enabled for this policy.</td>
-</tr>
-</tbody>
-</table>
+*policycap*
+
+The *policycap* keyword.
+
+*capability*
+
+A single *capability* identifier that will be enabled for this policy.
 
 **The statement is valid in:**
 
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy       | Base Policy             | Module Policy           |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes                     | Yes                     | No                      |
+
+Conditional Policy Statements
+
+| *if* Statement          | *optional* Statement    | *require* Statement     |
+| ----------------------- | ----------------------- | ----------------------- |
+| No                      | No                      | No                      |
 
 **Example:**
 

From patchwork Wed Sep  2 13:17:34 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Richard Haines <richard_c_haines@btinternet.com>
X-Patchwork-Id: 11779515
Return-Path: <SRS0=BB3M=CZ=vger.kernel.org=selinux-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A1A05112E
	for <patchwork-selinux@patchwork.kernel.org>;
 Wed, 16 Sep 2020 10:04:08 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 5AC502220F
	for <patchwork-selinux@patchwork.kernel.org>;
 Wed, 16 Sep 2020 10:04:08 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com
 header.b="qGbH8NIe"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726726AbgIPKEH (ORCPT
        <rfc822;patchwork-selinux@patchwork.kernel.org>);
        Wed, 16 Sep 2020 06:04:07 -0400
Received: from mailomta4-sa.btinternet.com ([213.120.69.10]:54906 "EHLO
        sa-prd-fep-048.btinternet.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1726438AbgIPKEF (ORCPT
        <rfc822;selinux@vger.kernel.org>); Wed, 16 Sep 2020 06:04:05 -0400
Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6])
          by sa-prd-fep-048.btinternet.com with ESMTP
          id
 <20200902131747.PPP4139.sa-prd-fep-048.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>;
          Wed, 2 Sep 2020 14:17:47 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com;
 s=btmx201904; t=1599052667;
        bh=NjhidpVpd/6m121M1ZJ1sjh63xQjRovGqfndLjJo40o=;
        h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version;
        b=qGbH8NIeXKPQZmuy9CsDx8e5HcBBA/LbBQmADwuJQ3GVGLO3eANe64gCEI9RGtP1p0fxH/sQFxEx03AVjukfM7FT+nKDuyXnxPyYEJQ7tNg3fm5NWw4BqUkv1YsQQqKdG5bv5FCQQKA8h63ZDFNHP7ikXpmpRMb9r/owZYcVhatRPVCeVePB7anxtTZSHm6bSJkUcObvvIyBC3q0r9R1ehuKnof/mzt3GUtJpxEWAUDiH9fqpBAdsgCtOgk7Du75y/v+vB9+jWR6KlCNdJxtiaKx5jD5TVghr9DA7JMm9YvvRjeWkWE4LU8FJ+35lYp+UfH/E47yo/dVkTtiP+7iZg==
Authentication-Results: btinternet.com; none
X-Originating-IP: [109.155.32.197]
X-OWM-Source-IP: 109.155.32.197 (GB)
X-OWM-Env-Sender: richard_c_haines@btinternet.com
X-VadeSecure-score: verdict=clean score=0/300, class=clean
X-RazorGate-Vade: 
 gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpedtfffgtdejffetgfehfeefgeduvdeiheelkeehhedvtdejkeeitdettdffjeekffenucffohhmrghinhepfihorhhluggtrghtrdhorhhgpdhgihhthhhusgdrtghomhenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeo
        shgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq
X-RazorGate-Vade-Verdict: clean 0
X-RazorGate-Vade-Classification: clean
X-SNCR-hdrdom: btinternet.com
Received: from localhost.localdomain (109.155.32.197) by
 sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as
 richard_c_haines@btinternet.com)
        id 5ED9AFBE0EF36BD4; Wed, 2 Sep 2020 14:17:47 +0100
From: Richard Haines <richard_c_haines@btinternet.com>
To: paul@paul-moore.com, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH 09/13] policy_languages: Tidy up
Date: Wed,  2 Sep 2020 14:17:34 +0100
Message-Id: <20200902131738.18425-10-richard_c_haines@btinternet.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com>
References: <20200902131738.18425-1-richard_c_haines@btinternet.com>
MIME-Version: 1.0
Sender: selinux-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/policy_languages.md | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/src/policy_languages.md b/src/policy_languages.md
index 90c17fe..add93e6 100644
--- a/src/policy_languages.md
+++ b/src/policy_languages.md
@@ -1,18 +1,20 @@
 # The SELinux Policy Languages
 
 There are two methods of writing 'raw' policy statements and rules:
-1.   The [**Kernel Policy Language**](kernel_policy_language.md#kernel-policy-language)
-section is intended as a reference of the kernel policy language statements
-and rules with supporting examples taken from the Reference Policy sources.
-Also all of the language updates to Policy DB version 32 should have been
-captured. For a more detailed explanation of the policy language the
-[**SELinux by Example**] (https://www.worldcat.org/title/selinux-by-example-using-security-enhanced-linux/oclc/85872880) book is recommended.
-2.   The Common Intermediate Language (CIL) project defines a new policy
-definition language that has an overview of its motivation and design
-at: <https://github.com/SELinuxProject/cil/wiki>, however some of the
-language statement definitions are out of date. The
-[**CIL Policy Language**](cil_overview.md#cil-overview) section gives
-an overview.
+
+1. The [**Kernel Policy Language**](kernel_policy_language.md#kernel-policy-language)
+   section is intended as a reference of the kernel policy language statements
+   and rules with supporting examples taken from the Reference Policy sources.
+   Also all of the language updates to Policy DB version 32 should have been
+   captured. For a more detailed explanation of the policy language the
+   [**SELinux by Example**](https://www.worldcat.org/title/selinux-by-example-using-security-enhanced-linux/oclc/85872880)
+   book is recommended.
+2. The Common Intermediate Language (CIL) project defines a new policy
+   definition language that has an overview of its motivation and design
+   at: <https://github.com/SELinuxProject/cil/wiki>, however some of the
+   language statement definitions are out of date. The
+   [**CIL Policy Language**](cil_overview.md#cil-overview) section gives
+   an overview.
 
 However more likely, policy is written using the
 [**The Reference Policy**](reference_policy.md#the-reference-policy)

From patchwork Wed Sep  2 13:17:35 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Richard Haines <richard_c_haines@btinternet.com>
X-Patchwork-Id: 11833103
Return-Path: <SRS0=npki=DT=vger.kernel.org=selinux-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 62D1292C
	for <patchwork-selinux@patchwork.kernel.org>;
 Mon, 12 Oct 2020 15:25:39 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 0ADBF2087E
	for <patchwork-selinux@patchwork.kernel.org>;
 Mon, 12 Oct 2020 15:25:39 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com
 header.b="r1uHYJNo"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2389540AbgJLPZi (ORCPT
        <rfc822;patchwork-selinux@patchwork.kernel.org>);
        Mon, 12 Oct 2020 11:25:38 -0400
Received: from mailomta9-sa.btinternet.com ([213.120.69.15]:29703 "EHLO
        sa-prd-fep-040.btinternet.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S2389951AbgJLPZi (ORCPT
        <rfc822;selinux@vger.kernel.org>); Mon, 12 Oct 2020 11:25:38 -0400
Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6])
          by sa-prd-fep-041.btinternet.com with ESMTP
          id
 <20200902131748.DGWK19995.sa-prd-fep-041.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>;
          Wed, 2 Sep 2020 14:17:48 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com;
 s=btmx201904; t=1599052668;
        bh=DSD1nziWklDOmkkpGfGmb2HE2POtxVAGNLqdI4mpnFQ=;
        h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version;
        b=r1uHYJNo84LbNdaxwWNhT3Qi21Osgny/vtqg3a/0RHcjMotfOZYmQzTB2/1Bh1bIwLaXuemjQBR5DeA1vBTe6+sqb4cyNq8u5vS3EGzAcxzUxJ9J+yWMYdlkqWv7o0J+InBEOuumqyTNsLrzRVxggsU9AsH9EvupFkVsGpZp0FkDXznXyDPTiIZodDQEpIkILYUgV/5O88Vpy3zpIKrai5rHuv1W04p5Cy7aa++2wjUDbX+OmqQ0kddCXwd4D2OQrupDFCV9N99s6gnt7u04QPHT9UnpSG4a89JrzCL/uZdu9n9rCYW/CZYWWp/GwrJqgJ3L2T63HfHNc3pHKP/OPg==
Authentication-Results: btinternet.com; none
X-Originating-IP: [109.155.32.197]
X-OWM-Source-IP: 109.155.32.197 (GB)
X-OWM-Env-Sender: richard_c_haines@btinternet.com
X-VadeSecure-score: verdict=clean score=0/300, class=clean
X-RazorGate-Vade: 
 gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpefhjeehjeeijedvieeggffhkedtgfevveeuudegkeffveegfeefgfdvffejfeevveenucffohhmrghinhepghhithhhuhgsrdgtohhmpdhkvghrnhgvlhdrrggtthhivhgvpdhpohhlihgthidrrggtthhivhgvnecukfhppedutdelrdduheehrdefvddrudeljeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopehlohgtrghlhhhoshhtrdhlohgtrghlughomhgrihhnpdhinhgvthepuddtledrudehhedrfedvrdduleejpdhmrghilhhfrhhomhepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqedprhgtphhtthhopeeophgruhhlsehprghulhdqmhhoohhrvgdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuqfftvefrvfeprhhftgekvddvnehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhn
        vghtrdgtohhmpdhrtghpthhtohepoehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhgqe
X-RazorGate-Vade-Verdict: clean 0
X-RazorGate-Vade-Classification: clean
X-SNCR-hdrdom: btinternet.com
Received: from localhost.localdomain (109.155.32.197) by
 sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as
 richard_c_haines@btinternet.com)
        id 5ED9AFBE0EF36BEC; Wed, 2 Sep 2020 14:17:48 +0100
From: Richard Haines <richard_c_haines@btinternet.com>
To: paul@paul-moore.com, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH 10/13] policy_store_config_files: Add TOC and tidy up
 formatting
Date: Wed,  2 Sep 2020 14:17:35 +0100
Message-Id: <20200902131738.18425-11-richard_c_haines@btinternet.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com>
References: <20200902131738.18425-1-richard_c_haines@btinternet.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

Add TOC and tidy up formatting.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/policy_store_config_files.md | 432 +++++++++++++++++--------------
 1 file changed, 234 insertions(+), 198 deletions(-)

diff --git a/src/policy_store_config_files.md b/src/policy_store_config_files.md
index 3e7f8ab..93d3727 100644
--- a/src/policy_store_config_files.md
+++ b/src/policy_store_config_files.md
@@ -1,23 +1,47 @@
 # Policy Store Configuration Files
 
-**NOTE: Files in this area are private and subject to change, they should only
-be modified using the** ***semodule**(8)* and ***semanage**(8)* commands.
+- [*active/modules* Directory Contents](#activemodules-directory-contents)
+  - [*tmp* Policy Store (build failure)](#tmp-policy-store-build-failure)
+- [*active/commit_num*](#activecommit_num)
+  - [*active/policy.kern*](#activepolicy.kern)
+- [*active/policy.linked*](#activepolicy.linked)
+- [*active/seusers.linked*](#activeseusers.linked)
+- [*active/seusers_extra.linked*](#activeseusers_extra.linked)
+- [*active/booleans.local*](#activebooleans.local)
+- [*disable_dontaudit*](#disable_dontaudit)
+- [*active/file_contexts*](#activefile_contexts)
+  - [Building the File Labeling Support Files](#building-the-file-labeling-support-files)
+- [*active/file_contexts.local*](#activefile_contexts.local)
+- [*active/homedir_template*](#activehomedir_template)
+  - [*active/file_contexts.homedirs*](#activefile_contexts.homedirs)
+- [*active/seusers*](#activeseusers)
+- [*active/seusers.local*](#activeseusers.local)
+- [*active/users_extra*](#activeusers_extra)
+- [*active/users_extra.local*](#activeusers_extra.local)
+- [*active/users.local*](#activeusers.local)
+- [*active/interfaces.local*](#activeinterfaces.local)
+- [*active/nodes.local*](#activenodes.local)
+- [*active/ports.local*](#activeports.local)
+- [Set domain permissive mode](#set-domain-permissive-mode)
+
+**NOTE:** Files in this area are private and subject to change, they should only
+be modified using the ***semodule**(8)* and ***semanage**(8)* commands.
 
 Depending on the SELinux userspace library release being used the default
 policy stores will be located at:
 
--   */etc/selinux/&lt;SELINUXTYPE&gt;/modules* - This is the default for
-    systems that support versions &lt; 2.4 of the SELinux userspace library.
-    The migration process to &gt;= 2.4 is described at
-    <https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration>.
--   */var/lib/selinux* - This is the default base for systems that
-    support versions &gt;= 2.4 of the SELinux userspace library. This base
-    may be overridden by the ***store-root*** parameter defined in the
-    [***semanage.conf**(5)*](global_config_files.md#etcselinuxsemanage.conf)
-    file. Multiple policy stores are supported by appending the
-    *&lt;SELINUXTYPE&gt;*, for example:
--   */var/lib/selinux/mls*
--   */var/lib/selinux/targeted*
+- */etc/selinux/\<SELINUXTYPE\>/modules* - This is the default for
+  systems that support versions \< 2.4 of the SELinux userspace library.
+  The migration process to \>= 2.4 is described at
+  <https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration>.
+- */var/lib/selinux* - This is the default base for systems that
+  support versions \>= 2.4 of the SELinux userspace library. This base
+  may be overridden by the ***store-root*** parameter defined in the
+  [***semanage.conf**(5)*](global_config_files.md#etcselinuxsemanage.conf)
+  file. Multiple policy stores are supported by appending the
+  *\<SELINUXTYPE\>*, for example:
+  - */var/lib/selinux/mls*
+  - */var/lib/selinux/targeted*
 
 The Policy Store files are either installed, updated or built by the
 ***semodule**(8)* and ***semanage**(8)* commands as a part of the build
@@ -25,34 +49,35 @@ process with the resulting files being copied over to the
 [**The Policy Store**](configuration_files.md#the-policy-store) area.
 
 The policy configuration files are described relative to the default
-***store-root*** at */var/lib/selinux* with *&lt;SELINUXTYPE&gt;* being
+***store-root*** at */var/lib/selinux* with *\<SELINUXTYPE\>* being
 *targeted*.
 
 The ***semanage**(8)* command must be used to configure policy (the actual
 policy and supporting configuration files) within a specific **Policy Store**.
 The command types are:
--   [***semanage boolean***](#activebooleans.local) Manage booleans to
-    selectively enable functionality
--   [***semanage dontaudit***](#disable_dontaudit) Disable/Enable *dontaudit*
-    rules in policy
--   ***semanage export*** Output local customizations
--   [***semanage fcontext***](#activefile_contexts.local) Manage file context
-    mapping definitions
--   ***semanage ibendport*** Manage infiniband end port type definitions
--   ***semanage ibpkey*** Manage infiniband pkey type definitions
--   ***semanage import*** Import local customizations
--   [***semanage interface***](#activeinterfaces.local) Manage network interface
-    type definitions
--   [***semanage login***](#activeseusers.local) Manage login mappings between
-    linux users and SELinux confined users
--   [***semanage module***](#activemodules-directory-contents) Manage SELinux
-    policy modules
--   [***semanage node***](#activenodes.local) Manage network node type definitions
--   [***semanage permissive***](#set-domain-permissive-mode) Manage process
-    type enforcement mode.
--   [***semanage port***](#activeports.local) Manage network port type definitions
--   [***semanage user***](#activeusers.local) Manage  SELinux confined users
-(Roles and levels for an SELinux user)
+
+- [***semanage boolean***](#activebooleans.local) Manage booleans to
+  selectively enable functionality
+- [***semanage dontaudit***](#disable_dontaudit) Disable/Enable *dontaudit*
+  rules in policy
+- ***semanage export*** Output local customizations
+- [***semanage fcontext***](#activefile_contexts.local) Manage file context
+  mapping definitions
+- ***semanage ibendport*** Manage infiniband end port type definitions
+- ***semanage ibpkey*** Manage infiniband pkey type definitions
+- ***semanage import*** Import local customizations
+- [***semanage interface***](#activeinterfaces.local) Manage network interface
+  type definitions
+- [***semanage login***](#activeseusers.local) Manage login mappings between
+  linux users and SELinux confined users
+- [***semanage module***](#activemodules-directory-contents) Manage SELinux
+  policy modules
+- [***semanage node***](#activenodes.local) Manage network node type definitions
+- [***semanage permissive***](#set-domain-permissive-mode) Manage process
+  type enforcement mode.
+- [***semanage port***](#activeports.local) Manage network port type definitions
+- [***semanage user***](#activeusers.local) Manage SELinux confined users
+  (Roles and levels for an SELinux user)
 
 ## active/modules Directory Contents
 
@@ -84,8 +109,8 @@ test_policy               400       pp
 
 ### *tmp* Policy Store (build failure)
 
-When adding/updating a policy module and it fails to  build for some reason,
-the *tmp* directory (*/var/lib/selinux&lt;SELINUXTYPE&gt;/tmp*) will contain
+When adding/updating a policy module and it fails to build for some reason,
+the *tmp* directory (*/var/lib/selinux\<SELINUXTYPE\>/tmp*) will contain
 a copy of the failed policy for inspection. An example ***semodule*** failure
 message indicating the failing line number is:
 
@@ -103,7 +128,7 @@ store. The format is not relevant to policy construction.
 This is the binary policy file built by either the ***semanage**(8)* or
 ***semodule**(8)* commands (depending on the configuration action), that
 is then becomes the
-*/etc/selinux/&lt;SELINUXTYPE&gt;/policy/policy.&lt;ver&gt;* binary policy
+*/etc/selinux/\<SELINUXTYPE\>/policy/policy.\<ver\>* binary policy
 that will be loaded into the kernel.
 
 ## *active/policy.linked*
@@ -145,7 +170,7 @@ such as ***audit2allow**(8)* to list all denials to assist debugging policy.
 ## *active/file_contexts*
 
 This file becomes the policy
-[*/etc/selinux/&lt;SELINUXTYPE&gt;/contexts/files/file_contexts*](policy_config_files.md#contextsfilesfile_contexts)
+[*/etc/selinux/\<SELINUXTYPE\>/contexts/files/file_contexts*](policy_config_files.md#contextsfilesfile_contexts)
  file. It is built as described in the
 [**Building the File Labeling Support Files**](#building-the-file-labeling-support-files)
 section.
@@ -210,18 +235,18 @@ section.
 The process used to build the *file_contexts* and the *file_contexts.template*
 files is shown in **Figure 25: File Context Configuration Files**.
 
-1.  They are built by ***semanage**(8)*  using entries from the 'Policy File
-    Labeling' statements extracted from the
-    [*active/modules*](#activemodules-directory-contents) entries
-    (the *&lt;module_name&gt;.fc* files, this will include any CIL *(filecon ....)*
-    statements that are within CIL policy files).
-2.  As a part of the ***semanage**(8)* build process, these two files
-    will also have *file_contexts.bin* and *file_contexts.homedirs.bin*
-    files present in the
-    [Policy Configuration Files](policy_config_files.md#contextsfilesfile_contexts)
-    *./contexts/files* directory. This is because ***semanage**(8)* requires
-    these in the Perl compatible regular expression (PCRE) internal format.
-    They are generated by the ***sefcontext_compile**(8)* utility.
+1. They are built by ***semanage**(8)* using entries from the 'Policy File
+   Labeling' statements extracted from the
+   [*active/modules*](#activemodules-directory-contents) entries
+   (the *\<module_name\>.fc* files, this will include any CIL *(filecon ....)*
+   statements that are within CIL policy files).
+2. As a part of the ***semanage**(8)* build process, these two files
+   will also have *file_contexts.bin* and *file_contexts.homedirs.bin*
+   files present in the
+   [Policy Configuration Files](policy_config_files.md#contextsfilesfile_contexts)
+   *./contexts/files* directory. This is because ***semanage**(8)* requires
+   these in the Perl compatible regular expression (PCRE) internal format.
+   They are generated by the ***sefcontext_compile**(8)* utility.
 
 ![](./images/25-file_contexts.png)
 
@@ -237,66 +262,82 @@ pathname_regexp [file_type] security_context | <<none>>
 
 **Where:**
 
-<table>
-<tbody>
-<tr>
-<td><code>pathname_regexp</code></td>
-<td><p>An entry that defines the pathname that may be in the form of a regular expression.</p>
-<p>The metacharacters '^' (match beginning of line) and '$' (match end of line) are automatically added to the expression by the routines that process this file, however they can be over-ridden by using '.*' at either the beginning or end of the expression (see the example <em>file_contexts</em> files below). </p>
-<p>The source policy <em>*.fc</em> and f<em>ile_contexts.template</em> files may also contain the keywords HOME_ROOT, HOME_DIR, ROLE and USER that will be replaced as explained in the next table.</p></td>
-</tr>
-<tr>
-<td><code>file_type</code></td>
-<td><p>One of the following optional file_type entries (note if blank means "all file types"):</p>
-<p>'<em>-b</em>' - Block Device         '<em>-c</em>' - Character Device</p>
-<p>'<em>-d</em>' - Directory               '<em>-p</em>' - Named Pipe (FIFO)</p>
-<p>'<em>-l</em>' - Symbolic Link      '<em>-s</em>' - Socket File</p>
-<p>'<em>--</em>' - Ordinary file</p>
-<p>By convention this entry is known as 'file type', however it really represents the 'file object class'.</p></td>
-</tr>
-<tr>
-<td><code>security_context</code></td>
-<td>This entry can be either:
-<p>a. The security context, including the MLS / MCS level or range if applicable that will be assigned to the file.</p>
-<p>b. A value of &lt;&lt;none&gt;&gt; can be used to indicate that matching files should not be re-labeled.</p></td>
-</tr>
-</tbody>
-</table>
-
-Keywords that can be in policy source \*.fc files and then form the *file_contexts.template* file entries are:
-
-<table>
-<tbody>
-<tr>
-<td>HOME_ROOT</td>
-<td>This keyword is replaced by the Linux users root home directory, normally <em>/home</em> is the default.</td>
-</tr>
-<tr>
-<td>HOME_DIR</td>
-<td>This keyword is replaced by the Linux users home directory, normally <em>/home/</em> is the default.</td>
-</tr>
-<tr>
-<td>USER</td>
-<td>This keyword will be replaced by the users Linux user id.</td>
-</tr>
-<tr>
-<td>ROLE</td>
-<td><p>This keyword is replaced by the <code>prefix</code> entry from the users_extra configuration file that corresponds to the SELinux users user id. Example users_extra configuration file entries are:</p>
-<p><code>user user_u  prefix user;</code></p>
-<p><code>user staff_u prefix staff;</code></p>
-<p>It is used for files and directories within the users home directory area. </p>
-<p>The prefix can be added by the semanage <em>login</em> command as follows (although note that the <em>-P</em> option is suppressed when help is displayed as it is generally it is not used (defaults to <em>user</em>:</p>
-<p># Add a Linux user:</p>
-<p><code>adduser rch</code></p>
-<p># Modify staff_u SELinux user and prefix:</p>
-<p><code>semanage user -m -R staff_r -P staff staff_u</code></p>
-<p># Associate the SELinux user to the Linux user:</p>
-<p><code>semanage login -a -s staff_u rch</code></p></td>
-</tr>
-</tbody>
-</table>
-
-**Example policy source file from Reference Policy** *policy/modules/system/userdomain.fc*:
+*pathname_regexp*
+
+- An entry that defines the pathname that may be in the form of a regular
+  expression. The metacharacters '^' (match beginning of line) and '\$'
+  (match end of line) are automatically added to the expression by the
+  routines that process this file, however they can be over-ridden by
+  using '\.\*' at either the beginning or end of the expression (see the
+  example *file_contexts* files below).
+- The source policy *\*.fc* and *file_contexts.template* files may also
+  contain the keywords *HOME_ROOT*, *HOME_DIR*, *ROLE* and *USER* that will
+  be replaced as explained in the next table.
+
+*file_type*
+
+- One of the following optional file_type entries (note if blank means
+  "all file types"):
+  - *-b* - Block Device
+  - *-c* - Character Device
+  - *-d* - Directory
+  - *-p* - Named Pipe (FIFO)
+  - *-l* - Symbolic Link
+  - *-s* - Socket File
+  - *\-\-* - Ordinary file
+- By convention this entry is known as *file type*, however it really
+  represents the 'file object class'.
+
+*security_context*
+
+- This entry can be either:
+  - The security context, including the MLS / MCS level or range if applicable
+    that will be assigned to the file.
+  - A value of \<\<none\>\> can be used to indicate that matching files should
+    not be re-labeled.
+
+Keywords that can be in policy source \*.fc files and then form the
+*file_contexts.template* file entries are:
+
+*HOME_ROOT*
+
+- This keyword is replaced by the Linux users root home directory,
+  normally */home* is the default.
+
+*HOME_DIR*
+
+- This keyword is replaced by the Linux users home directory,
+  normally */home/* is the default.
+
+*USER*
+
+- This keyword will be replaced by the users Linux user id.
+
+*ROLE*
+
+- This keyword is replaced by the *prefix* entry from the *users_extra*
+  configuration file that corresponds to the SELinux users user id. Example
+  *users_extra* configuration file entries are:
+  - *user user_u prefix user;*
+  - *user staff_u prefix staff;*
+- It is used for files and directories within the users home directory area.
+  The prefix can be added by the semanage *login* command as follows
+  (although note that the *-P* option is suppressed when help is displayed
+  as it is generally it is not used (defaults to *user*)):
+
+```
+# Add a Linux user:
+
+adduser rch
+# Modify staff_u SELinux user and prefix:
+semanage user -m -R staff_r -P staff staff_u
+
+# Associate the SELinux user to the Linux user:
+semanage login -a -s staff_u rch
+```
+
+**Example policy source file from Reference Policy**
+*policy/modules/system/userdomain.fc*:
 
 ```
 HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
@@ -309,7 +350,8 @@ HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
 /root/\.debug(/.*)?	<<none>>
 ```
 
-**Example policy source file from Reference Policy** *policy/modules/kernel/files.fc*:
+**Example policy source file from Reference Policy**
+*policy/modules/kernel/files.fc*:
 
 ```
 #
@@ -387,8 +429,8 @@ HOME_DIR/.+	system_u:object_r:user_home_t:s0
 ### *active/file_contexts.homedirs*
 
 This file becomes the policy
-[*/etc/selinux/<SELINUXTYPE>/contexts/files/file_contexts.homedirs*](policy_config_files.md#contextsfilesfile_contexts.homedirs) file. It is built
-as described in the
+[*/etc/selinux/\<SELINUXTYPE\>/contexts/files/file_contexts.homedirs*](policy_config_files.md#contextsfilesfile_contexts.homedirs)
+file. It is built as described in the
 [**Building the File Labeling Support Files**](#building-the-file-labeling-support-files)
 section. It is then used by the file labeling utilities to ensure that users
 home directory areas are labeled according to the policy.
@@ -419,32 +461,32 @@ libsepol library function.
 /home/[^/]+/.+	unconfined_u:object_r:user_home_t:s0
 ```
 
-## active/seusers
-## active/seusers.local
+## *active/seusers*
+## *active/seusers.local*
 
-The *active/seusers* file becomes the policy */etc/selinux/<SELINUXTYPE>/seusers*
+The *active/seusers* file becomes the policy */etc/selinux/\<SELINUXTYPE\>/seusers*
 file, the *active/seusers.local* file holds entries added when adding users via
 ***semanage**(8)*.
 
 The *seusers* file is built or modified when:
 
-1.  Building a policy where an optional *seusers* file has been included
-    in the base package via the ***semodule_package**(8)* command
-    (signified by the *-s* flag) as follows:
--   *semodule_package -o base.pp -m base.mod -s seusers ...*
--   The *seusers* file would be extracted by the subsequent ***semodule*** command
-    when building the policy to produce the *seusers.final* file.
-2.  The ***semanage login*** command is used to map Linux users to
-    SELinux users as follows:
--   *semanage login -a -s staff_u rch*
--   This action will update the *seusers* file that would then be used to
-    produce the seusers.final file with both policy and locally defined user
-    mapping.
-3.  It is also possible to associate a Linux group of users to an
-    SELinux user as follows:
--   *semanage login -a -s staff_u %staff_group*
-
-**The format of the** *seusers* & *seusers.local* **files are as follows:**
+1. Building a policy where an optional *seusers* file has been included
+   in the base package via the ***semodule_package**(8)* command
+   (signified by the *-s* flag) as follows:
+   - *semodule_package -o base.pp -m base.mod -s seusers ...*
+   - The *seusers* file would be extracted by the subsequent ***semodule***
+     command when building the policy to produce the *seusers.final* file.
+2. The ***semanage login*** command is used to map Linux users to
+   SELinux users as follows:
+   - *semanage login -a -s staff_u rch*
+   - This action will update the *seusers* file that would then be used to
+      produce the seusers.final file with both policy and locally defined user
+      mapping.
+3. It is also possible to associate a Linux group of users to an
+   SELinux user as follows:
+   - *semanage login -a -s staff_u %staff_group*
+
+**The format of the** *seusers* and *seusers.local* **files are as follows:**
 
 ```
 [%]user_id:seuser_id[:range]
@@ -452,22 +494,18 @@ The *seusers* file is built or modified when:
 
 **Where:**
 
-<table>
-<tbody>
-<tr>
-<td>user_id</td>
-<td>Where <em>user_id</em> is the Linux user identity. If this is a Linux <em>group_id</em> then it will be preceded with the '<em>%</em>' sign as shown in the example below.</td>
-</tr>
-<tr>
-<td>seuser_id</td>
-<td>The SELinux user identity.</td>
-</tr>
-<tr>
-<td>range</td>
-<td>The optional <em>level</em> or range.</td>
-</tr>
-</tbody>
-</table>
+*user_id*
+
+- Where *user_id* is the Linux user identity. If this is a Linux *group_id*
+  then it will be preceded with the '*%*' sign as shown in the example below.
+
+*seuser_id*
+
+- The SELinux user identity.
+
+*range*
+
+- The optional *level* or *range*.
 
 **Example** *seusers* **file contents:**
 
@@ -510,32 +548,32 @@ rch:user_u:s0
 These three files work together to describe SELinux user information as
 follows:
 
-1.  The *users_extra* and *users_extra.local* files are used to map a
-    *prefix* to a users home directories as discussed in the
-    [**Building the File Labeling Support Files**](#building-the-file-labeling-support-files)
-    section, where it is used to replace the *ROLE* keyword. The
-    *prefix* is linked to an SELinux user id and should reflect the users role.
--   The *users_extra* file contains all the policy *prefix* entries, and the
-    *users_extra.local* file contains those generated by the ***semanage user***
-    command.
--   The *users_extra* file can optionally be included in the base package via
-    the ***semodule_package**(8)* command (signified by the *-u* flag) as
-    follows:
--   *semodule_package -o base.pp -m base.mod -u users_extra ...*
--   The *users_extra* file would then be extracted by a subsequent semodule
-    command when building the policy.
-2.  The *users.local* file is used to add new SELinux users to the policy
-    without editing the policy source itself (with each line in the file
-    following a policy language
-    [**user Statement**](user_statements.md#user-statements)).
-    This is useful when only the Reference Policy headers are installed and
-    additional users need to be added. The ***semanage user*** command will allow
-    a new SELinux user to be added that would generate the *user.local* file
-    and if a *-P* flag has been specified, then a *users_extra.local* file is also
-    updated (note: if this is a new SELinux user and a prefix is not specified
-    a default *prefix* of user is generated).
-
-**The format of the** *users_extra* & *users_extra.local* **files are:**
+1. The *users_extra* and *users_extra.local* files are used to map a
+   *prefix* to a users home directories as discussed in the
+   [**Building the File Labeling Support Files**](#building-the-file-labeling-support-files)
+   section, where it is used to replace the *ROLE* keyword. The
+   *prefix* is linked to an SELinux user id and should reflect the users role.
+   - The *users_extra* file contains all the policy *prefix* entries, and the
+     *users_extra.local* file contains those generated by the
+     ***semanage user*** command.
+   - The *users_extra* file can optionally be included in the base package via
+     the ***semodule_package**(8)* command (signified by the *-u* flag) as
+     follows:
+   - *semodule_package -o base.pp -m base.mod -u users_extra ...*
+   - The *users_extra* file would then be extracted by a subsequent semodule
+   command when building the policy.
+2. The *users.local* file is used to add new SELinux users to the policy
+   without editing the policy source itself (with each line in the file
+   following a policy language
+   [**user Statement**](user_statements.md#user-statements)).
+   This is useful when only the Reference Policy headers are installed and
+   additional users need to be added. The ***semanage user*** command will allow
+   a new SELinux user to be added that would generate the *user.local* file
+   and if a *-P* flag has been specified, then a *users_extra.local* file is also
+   updated (note: if this is a new SELinux user and a prefix is not specified
+   a default *prefix* of user is generated).
+
+**The format of the** *users_extra* and *users_extra.local* **files are:**
 
 ```
 user seuser_id prefix prefix_id;
@@ -543,26 +581,24 @@ user seuser_id prefix prefix_id;
 
 **Where:**
 
-<table>
-<tbody>
-<tr>
-<td>user</td>
-<td>The user keyword.</td>
-</tr>
-<tr>
-<td>seuser_id</td>
-<td>The SELinux user identity.</td>
-</tr>
-<tr>
-<td>prefix</td>
-<td>The prefix keyword.</td>
-</tr>
-<tr>
-<td>prefix_id</td>
-<td>An identifier that will be used to replace the ROLE keyword within the active/homedir_template file when building the active/file_contexts.homedirs file for the relabeling utilities to set the security context on users home directories.</td>
-</tr>
-</tbody>
-</table>
+*user*
+
+- The user keyword.
+
+*seuser_id*
+
+- The SELinux user identity.
+
+*prefix*
+
+- The prefix keyword.
+
+*prefix_id*
+
+- An identifier that will be used to replace the *ROLE* keyword within the
+  *active/homedir_template* file when building the
+  *active/file_contexts.homedirs* file for the relabeling utilities to set
+  the security context on users home directories.
 
 **Example** *users_extra* **file contents:**
 

From patchwork Wed Sep  2 13:17:36 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Richard Haines <richard_c_haines@btinternet.com>
X-Patchwork-Id: 11777671
Return-Path: <SRS0=vGri=CY=vger.kernel.org=selinux-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 79C6759D
	for <patchwork-selinux@patchwork.kernel.org>;
 Tue, 15 Sep 2020 19:53:35 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 4FCA62078E
	for <patchwork-selinux@patchwork.kernel.org>;
 Tue, 15 Sep 2020 19:53:35 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com
 header.b="fbPP+jOH"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727830AbgIOTxc (ORCPT
        <rfc822;patchwork-selinux@patchwork.kernel.org>);
        Tue, 15 Sep 2020 15:53:32 -0400
Received: from mailomta8-sa.btinternet.com ([213.120.69.14]:28609 "EHLO
        sa-prd-fep-049.btinternet.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1727751AbgIOTxT (ORCPT
        <rfc822;selinux@vger.kernel.org>); Tue, 15 Sep 2020 15:53:19 -0400
Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6])
          by sa-prd-fep-040.btinternet.com with ESMTP
          id
 <20200902131748.LIKW5290.sa-prd-fep-040.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>;
          Wed, 2 Sep 2020 14:17:48 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com;
 s=btmx201904; t=1599052668;
        bh=f9Xgk0jtnpb0PpwmGxZahurw7+LZbZCh8FkknZxjWOE=;
        h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version;
        b=fbPP+jOHDk4wtgbO/843QzqPvmPsulAEKlzn3uEtyu7rGMepk8lXx+croaDSfpXWEFd8TfNrwen4iPQDHEp2KGNjIU6Aei887DXdLbwi+pU34McacZazpcZ8gF8l95DRz+GywAmZDXIX4obBrmQjW+uB284BWt0Wl1obqpJH4LTTnQZnoRUwL/yZgjlU5AnbuyiIKDan8CTQoyqopPNMqwD+jR7BxISC3QB4xFVVc2RAoHrVvQyIw0u0ZvI7IAAbE69/nM8vkKWXIFoSBOYfQxtBaXBLj7nB98KVoQ6ROFV1/8dUu3bL8wRAq8sXohL+gueiDm3DuLPB72m+dDrh7g==
Authentication-Results: btinternet.com; none
X-Originating-IP: [109.155.32.197]
X-OWM-Source-IP: 109.155.32.197 (GB)
X-OWM-Env-Sender: richard_c_haines@btinternet.com
X-VadeSecure-score: verdict=clean score=0/300, class=clean
X-RazorGate-Vade: 
 gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq
X-RazorGate-Vade-Verdict: clean 0
X-RazorGate-Vade-Classification: clean
X-SNCR-hdrdom: btinternet.com
Received: from localhost.localdomain (109.155.32.197) by
 sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as
 richard_c_haines@btinternet.com)
        id 5ED9AFBE0EF36BF4; Wed, 2 Sep 2020 14:17:48 +0100
From: Richard Haines <richard_c_haines@btinternet.com>
To: paul@paul-moore.com, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH 11/13] polyinstantiation: Convert to markdown
Date: Wed,  2 Sep 2020 14:17:36 +0100
Message-Id: <20200902131738.18425-12-richard_c_haines@btinternet.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com>
References: <20200902131738.18425-1-richard_c_haines@btinternet.com>
MIME-Version: 1.0
Sender: selinux-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

Add a TOC to aid navigation and convert to markdown.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/polyinstantiation.md | 108 ++++++++++++++++++++++-----------------
 1 file changed, 60 insertions(+), 48 deletions(-)

diff --git a/src/polyinstantiation.md b/src/polyinstantiation.md
index 3a64918..16a13c2 100644
--- a/src/polyinstantiation.md
+++ b/src/polyinstantiation.md
@@ -1,5 +1,12 @@
 # Polyinstantiation Support
 
+- [Polyinstantiated Objects](#polyinstantiated-objects)
+- [Polyinstantiation support in PAM](#polyinstantiation-support-in-pam)
+  - [*namespace.conf* Configuration File](#namespace.conf-configuration-file)
+    - [Example Configurations](#example-configurations)
+- [Polyinstantiation support in X-Windows](#polyinstantiation-support-in-x-windows)
+- [Polyinstantiation support in the Reference Policy](#polyinstantiation-support-in-the-reference-policy)
+
 GNU / Linux supports the polyinstantiation of directories that can be
 utilised by SELinux via the Pluggable Authentication Module (PAM) as explained
 in the next section. The
@@ -12,16 +19,16 @@ sockets are not yet supported.
 
 To clarify polyinstantiation support:
 
-1.  SELinux has *libselinux* functions and a policy rule to support
-    polyinstantiation.
-2.  The polyinstantiation of directories is a function of GNU / Linux
-    not SELinux (as more correctly, the GNU / Linux services such as PAM
-    have been modified to support polyinstantiation of directories and
-    have also been made SELinux-aware. Therefore their services can be
-    controlled via policy).
-3.  The polyinstantiation of X-windows selections and properties is a
-    function of the XSELinux Object Manager and the supporting XACE
-    service.
+1. SELinux has *libselinux* functions and a policy rule to support
+   polyinstantiation.
+2. The polyinstantiation of directories is a function of GNU / Linux
+   not SELinux (as more correctly, the GNU / Linux services such as PAM
+   have been modified to support polyinstantiation of directories and
+   have also been made SELinux-aware. Therefore their services can be
+   controlled via policy).
+3. The polyinstantiation of X-windows selections and properties is a
+   function of the XSELinux Object Manager and the supporting XACE
+   service.
 
 ## Polyinstantiated Objects
 
@@ -46,10 +53,11 @@ to enable the feature and some [**examples**](#example-configurations).
 To implement polyinstantiated directories PAM requires the following
 files to be configured:
 
-1.  A **pam_namespace** module entry added to the appropriate */etc/pam.d/*
-    login configuration file (e.g. login, sshd, gdm etc.). Fedora
-    already has these entries configured, with an example
-    */etc/pam.d/gdm-password* file being:
+- A **pam_namespace** module entry added to the appropriate */etc/pam.d/*
+  login configuration file (e.g. login, sshd, gdm etc.). Fedora
+  already has these entries configured, with an example
+  */etc/pam.d/gdm-password* file being:
+
 ```
 auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
 auth        substack      password-auth
@@ -73,13 +81,13 @@ session     optional      pam_gnome_keyring.so auto_start
 session     include       postlogin
 ```
 
-2.  Entries added to the */etc/security/namespace.conf* file that defines
-    the directories to be polyinstantiated by PAM (and other services
-    that may need to use the namespace service). The entries are
-    explained in the
-    [*namespace.conf*](#namespace.conf-configuration-file) section,
-    with the default entries in Fedora being (note that the entries are
-    commented out in the distribution):
+- Entries added to the */etc/security/namespace.conf* file that defines
+  the directories to be polyinstantiated by PAM (and other services
+  that may need to use the namespace service). The entries are
+  explained in the
+  [*namespace.conf*](#namespace.conf-configuration-file) section,
+  with the default entries in Fedora being (note that the entries are
+  commented out in the distribution):
 
 ```
 # polydir  instance-prefix     method  list_of_uids
@@ -108,33 +116,37 @@ Each line in the namespace.conf file is formatted as follows:
 polydir instance_prefix method list_of_uids
 ```
 
-Where:
-
-<table>
-<tbody>
-<tr>
-<td>polydir</td>
-<td>The absolute path name of the directory to polyinstantiate. The optional strings $USER and $HOME will be replaced by the user name and home directory respectively.</td>
-</tr>
-<tr>
-<td>instance_prefix</td>
-<td>A string prefix used to build the pathname for the polyinstantiated directory. The optional strings $USER and $HOME will be replaced by the user name and home directory respectively.</td>
-</tr>
-<tr>
-<td>method</td>
-<td><p>This is used to determine the method of polyinstantiation with valid entries being:</p>
-<p>user - Polyinstantiation is based on user name.</p>
-<p>level - Polyinstantiation is based on the user name and MLS level.</p>
-<p>context - Polyinstantiation is based on the user name and security context.</p>
-<p>Note that level and context are only valid for SELinux enabled systems.</p></td>
-</tr>
-<tr>
-<td>list_of_uids</td>
-<td><p>A comma separated list of user names that will not have polyinstantiated directories. If blank, then all users are polyinstantiated. If the list is preceded with an '~' character, then only the users in the list will have polyinstantiated directories.</p>
-<p>There are a number of optional flags available that are described in the <strong>namespace.conf</strong>(5) man page.</p></td>
-</tr>
-</tbody>
-</table>
+**Where:**
+
+*polydir*
+
+- The absolute path name of the directory to polyinstantiate. The optional
+  strings *\$USER* and *\$HOME* will be replaced by the user name and home
+  directory respectively.
+
+*instance_prefix*
+
+- A string prefix used to build the pathname for the polyinstantiated
+  directory. The optional strings *\$USER* and *\$HOME* will be replaced by
+  the user name and home directory respectively.
+
+*method*
+
+- This is used to determine the method of polyinstantiation with valid
+  entries being:
+  - *user*    - Polyinstantiation is based on user name.
+  - *level*   - Polyinstantiation is based on user name and MLS level.
+  - *context* - Polyinstantiation is based on user name and security context.
+- Note that *level* and *context* are only valid for SELinux enabled systems.
+
+*list_of_uids*
+
+- A comma separated list of user names that will not have polyinstantiated
+  directories. If blank, then all users are polyinstantiated. If the list is
+  preceded with an '~' character, then only the users in the list will have
+  polyinstantiated directories.
+  There are a number of optional flags available that are described in the
+  ***namespace.conf**(5)* man page.
 
 ### Example Configurations
 

From patchwork Wed Sep  2 13:17:37 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Richard Haines <richard_c_haines@btinternet.com>
X-Patchwork-Id: 11777667
Return-Path: <SRS0=vGri=CY=vger.kernel.org=selinux-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4CBBF746
	for <patchwork-selinux@patchwork.kernel.org>;
 Tue, 15 Sep 2020 19:51:41 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 02F712078D
	for <patchwork-selinux@patchwork.kernel.org>;
 Tue, 15 Sep 2020 19:51:40 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com
 header.b="HX0jODTC"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727721AbgIOTt4 (ORCPT
        <rfc822;patchwork-selinux@patchwork.kernel.org>);
        Tue, 15 Sep 2020 15:49:56 -0400
Received: from mailomta6-sa.btinternet.com ([213.120.69.12]:62158 "EHLO
        sa-prd-fep-043.btinternet.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1727952AbgIOTtn (ORCPT
        <rfc822;selinux@vger.kernel.org>); Tue, 15 Sep 2020 15:49:43 -0400
Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6])
          by sa-prd-fep-045.btinternet.com with ESMTP
          id
 <20200902131748.VNDJ4112.sa-prd-fep-045.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>;
          Wed, 2 Sep 2020 14:17:48 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com;
 s=btmx201904; t=1599052668;
        bh=CHJo7+Mp8hJaF/i7p8CvP20Ym0pqyO3Fl0dzhORi41Y=;
        h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version;
        b=HX0jODTCVnCyZ16DzdzG2QKdgS/4YqtELGjpIGPhYZOfva6Xx2q3WXxNGDMMVmQ/Y1pJLkt4yz24ujIpSRp+SaoBXNQNzNZuHbT3nW0w8B1tixLiU0YOYBlLwZG4FryEVmtR1oThpCIavdgJHGrrogpngxaWCua7BNNcvSMxrEfoQqeayjXv6CwHOpvgbwF+pdlzAUQrIBFfQ3gg1CvIb4TN25lidrd8wT5aQ9DjRwcgr8E+VntbVkDG68S+tGnSfpT6/98axdbMS63iQAq6++MoDf7BFtti0kdjstqQKGvgjMR+T+T1HffzczycVSZvxUSkq2jplDdU7o49WjS69g==
Authentication-Results: btinternet.com; none
X-Originating-IP: [109.155.32.197]
X-OWM-Source-IP: 109.155.32.197 (GB)
X-OWM-Env-Sender: richard_c_haines@btinternet.com
X-VadeSecure-score: verdict=clean score=0/300, class=clean
X-RazorGate-Vade: 
 gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq
X-RazorGate-Vade-Verdict: clean 0
X-RazorGate-Vade-Classification: clean
X-SNCR-hdrdom: btinternet.com
Received: from localhost.localdomain (109.155.32.197) by
 sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as
 richard_c_haines@btinternet.com)
        id 5ED9AFBE0EF36BFB; Wed, 2 Sep 2020 14:17:48 +0100
From: Richard Haines <richard_c_haines@btinternet.com>
To: paul@paul-moore.com, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH 12/13] rbac: Minor format fix
Date: Wed,  2 Sep 2020 14:17:37 +0100
Message-Id: <20200902131738.18425-13-richard_c_haines@btinternet.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com>
References: <20200902131738.18425-1-richard_c_haines@btinternet.com>
MIME-Version: 1.0
Sender: selinux-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/rbac.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/rbac.md b/src/rbac.md
index 4063e38..0cf4c22 100644
--- a/src/rbac.md
+++ b/src/rbac.md
@@ -6,7 +6,7 @@ associated to one or more roles, where each role is then associated to
 one or more domain types as shown in **Figure 4: Role Based Access Control**.
 
 The SELinux role name is the second component of a 'security context'
-and by convention SELinux roles end in *_r*, however this is not
+and by convention SELinux roles end in *\_r*, however this is not
 enforced by any SELinux service (i.e. it is only used to identify the
 role component), although CIL with namespaces does make identification
 of a role easier for example a 'role' could be declared as

From patchwork Wed Sep  2 13:17:38 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Richard Haines <richard_c_haines@btinternet.com>
X-Patchwork-Id: 11955569
Return-Path: <selinux-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,
	INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,
	USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EBE1EC1B087
	for <selinux@archiver.kernel.org>; Mon,  7 Dec 2020 11:44:21 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id BFF0623358
	for <selinux@archiver.kernel.org>; Mon,  7 Dec 2020 11:44:21 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726765AbgLGLnz (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Mon, 7 Dec 2020 06:43:55 -0500
Received: from mailomta12-sa.btinternet.com ([213.120.69.18]:19443 "EHLO
        sa-prd-fep-045.btinternet.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1726920AbgLGLnz (ORCPT
        <rfc822;selinux@vger.kernel.org>); Mon, 7 Dec 2020 06:43:55 -0500
Received: from sa-prd-rgout-003.btmx-prd.synchronoss.net ([10.2.38.6])
          by sa-prd-fep-042.btinternet.com with ESMTP
          id
 <20200902131749.VSZJ26396.sa-prd-fep-042.btinternet.com@sa-prd-rgout-003.btmx-prd.synchronoss.net>;
          Wed, 2 Sep 2020 14:17:49 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com;
 s=btmx201904; t=1599052669;
        bh=SiJK/x+UPWFOsLATevCqvVre/gI5Ap+L0Q69Dk7Hoys=;
        h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version;
        b=pzgdPYW+73g8eNOPr4866ohW4irKoWNxwQeDMtH2jCHXAPhRscK6gyOx6NSMqBZS9oOFzZ4haT1Q449zB0611E/YOgyhJYWvvy1GX9KdXvNOG3Jo7WXlgRr4UGZhgbIOWL5qRte9UH8O11i351mf5nQyk/RblRQ84+vTgFsV3iG1I0i06Ps9PlW49Emb7SLJ9HL6hXDl1k07WazcTedhiVBr4T14gYR7l6YWdU3lOrUwR0e4iE0I/1sg1rC3QJhl3xKcJQCsuARdrMA7os2cw+O/d7NycEyhMgw4l4/DkVcKQBiomMqAoS9vT4xn2Dvn1HSRcDg4smeRB8LL+aPw5g==
Authentication-Results: btinternet.com; none
X-Originating-IP: [109.155.32.197]
X-OWM-Source-IP: 109.155.32.197 (GB)
X-OWM-Env-Sender: richard_c_haines@btinternet.com
X-VadeSecure-score: verdict=clean score=0/300, class=clean
X-RazorGate-Vade: 
 gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeeutddtleelheeugefgiefhiedtheeukeffveeitdffgeffieeugeeljeegvefgieenucfkphepuddtledrudehhedrfedvrdduleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrdefvddrudeljedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenrhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopeeoshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq
X-RazorGate-Vade-Verdict: clean 0
X-RazorGate-Vade-Classification: clean
X-SNCR-hdrdom: btinternet.com
Received: from localhost.localdomain (109.155.32.197) by
 sa-prd-rgout-003.btmx-prd.synchronoss.net (5.8.340) (authenticated as
 richard_c_haines@btinternet.com)
        id 5ED9AFBE0EF36C0D; Wed, 2 Sep 2020 14:17:49 +0100
From: Richard Haines <richard_c_haines@btinternet.com>
To: paul@paul-moore.com, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH 13/13] role_statements: Convert to markdown
Date: Wed,  2 Sep 2020 14:17:38 +0100
Message-Id: <20200902131738.18425-14-richard_c_haines@btinternet.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200902131738.18425-1-richard_c_haines@btinternet.com>
References: <20200902131738.18425-1-richard_c_haines@btinternet.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

Add a TOC to aid navigation and convert to markdown.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/role_statements.md | 443 +++++++++++++++++------------------------
 1 file changed, 178 insertions(+), 265 deletions(-)

diff --git a/src/role_statements.md b/src/role_statements.md
index c11a01d..b706234 100644
--- a/src/role_statements.md
+++ b/src/role_statements.md
@@ -1,5 +1,12 @@
 # Role Statements
 
+- [*role*](#role)
+- [*attribute_role*](#attribute_role)
+- [*roleattribute*](#roleattribute)
+- [*allow*](#allow)
+- [*role_transition*](#role_transition)
+- [*dominance* - Deprecated](#dominance---deprecated)
+
 Policy version 26 introduced two new role statements aimed at replacing
 the deprecated role *dominance* rule by making role relationships easier to
 understand. These new statements: *attribute_role* and *roleattribute*
@@ -27,54 +34,42 @@ role role_id types type_id;
 
 **Where:**
 
-<table>
-<tbody>
-<tr>
-<td><code>role</code></td>
-<td>The <code>role</code> keyword.</td>
-</tr>
-<tr>
-<td><code>role_id</code></td>
-<td>The identifier of the role being declared. The same role identifier can be declared more than once in a policy, in which case the <code>type_id</code> entries will be amalgamated by the compiler.</td>
-</tr>
-<tr>
-<td><code>types</code></td>
-<td>The optional <code>types</code> keyword.</td>
-</tr>
-<tr>
-<td><code>type_id</code></td>
-<td><p>When used with the <code>types</code> keyword, one or more type, <code>typealias</code> or <code>attribute</code> identifiers associated with the <code>role_id</code>. Multiple entries consist of a space separated list enclosed in braces '{}'. Entries can be excluded from the list by using the negative operator '-'.</p>
-<p>For <code>role</code> statements, only <code>type</code>, <code>typealias</code> or <code>attribute</code> identifiers associated to domains have any meaning within SELinux.</p></td>
-</tr>
-</tbody>
-</table>
+*role*
+
+The *role* keyword.
+
+*role_id*
+
+The identifier of the role being declared. The same *role* identifier can be
+declared more than once in a policy, in which case the *type_id* entries will
+be amalgamated by the compiler.
+
+*types*
+
+The optional *types* keyword.
+
+*type_id*
+
+When used with the *types* keyword, one or more type, *typealias* or
+*attribute* identifiers associated with the *role_id*. Multiple entries
+consist of a space separated list enclosed in braces '{}'. Entries can be
+excluded from the list by using the negative operator '-'.
+For *role* statements, only *type*, *typealias* or *attribute* identifiers
+associated to domains have any meaning within SELinux.
 
 **The statement is valid in:**
 
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy       | Base Policy             | Module Policy           |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes                     | Yes                     | Yes                     |
+
+Conditional Policy Statements
+
+| *if* Statement          | *optional* Statement    | *require* Statement     |
+| ----------------------- | ----------------------- | ----------------------- |
+| No                      | Yes                     | Yes                     |
 
 **Examples:**
 
@@ -108,45 +103,27 @@ attribute_role attribute_id;
 
 **Where:**
 
-<table>
-<tbody>
-<tr>
-<td><code>attribute_role</code></td>
-<td>The <code>attribute_role</code> keyword.</td>
-</tr>
-<tr>
-<td><code>attribute_id</code></td>
-<td>The <code>attribute</code> identifier.</td>
-</tr>
-</tbody>
-</table>
+*attribute_role*
+
+The *attribute_role* keyword.
+
+*attribute_id*
+
+The *attribute* identifier.
 
 **The statement is valid in:**
 
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy       | Base Policy             | Module Policy           |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes                     | Yes                     | Yes                     |
+
+Conditional Policy Statements
+
+| *if* Statement          | *optional* Statement    | *require* Statement     |
+| ----------------------- | ----------------------- | ----------------------- |
+| No                      | Yes                     | Yes                     |
 
 **Examples:**
 
@@ -161,8 +138,8 @@ attribute_role srole_list_2;
 
 ## *roleattribute*
 
-The <code>roleattribute</code> statement allows the association of previously
-declared roles to one or more previously declared <code>attribute_roles</code>.
+The *roleattribute* statement allows the association of previously
+declared roles to one or more previously declared *attribute_roles*.
 
 **The statement definition is:**
 
@@ -172,49 +149,32 @@ roleattribute role_id attribute_id;
 
 **Where:**
 
-<table>
-<tbody>
-<tr>
-<td><code>roleattribute</code></td>
-<td>The <code>roleattribute</code> keyword.</td>
-</tr>
-<tr>
-<td><code>role_id</code></td>
-<td>The identifier of a previously declared <code>role</code>.</td>
-</tr>
-<tr>
-<td><code>attribute_id</code></td>
-<td>One or more previously declared <code>attribute_role</code> identifiers. Multiple entries consist of a comma ',' separated list.</td>
-</tr>
-</tbody>
-</table>
+*roleattribute*
+
+The *roleattribute* keyword.
+
+*role_id*
+
+The identifier of a previously declared *role*.
+
+*attribute_id*
+
+One or more previously declared *attribute_role* identifiers. Multiple entries
+consist of a comma ',' separated list.
 
 **The statement is valid in:**
 
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy       | Base Policy             | Module Policy           |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes                     | Yes                     | Yes                     |
+
+Conditional Policy Statements
+
+| *if* Statement          | *optional* Statement    | *require* Statement     |
+| ----------------------- | ----------------------- | ----------------------- |
+| No                      | Yes                     | No                      |
 
 **Examples:**
 
@@ -232,11 +192,11 @@ roleattribute service_r role_list_1;
 
 ## *allow*
 
-The role *allow* rule checks whether a request to change roles is allowed,
+The 'role *allow*' rule checks whether a request to change roles is allowed,
 if it is, then there may be a further request for a *role_transition* so
 that the process runs with the new role or role set.
 
-Note that the role allow rule has the same keyword as the allow AV rule.
+Note that the 'role *allow*' rule has the same keyword as the *allow* AV rule.
 
 **The statement definition is:**
 
@@ -246,49 +206,33 @@ allow from_role_id to_role_id;
 
 **Where:**
 
-<table>
-<tbody>
-<tr>
-<td><code>allow</code></td>
-<td>The <code>role allow</code> rule keyword.</td>
-</tr>
-<tr>
-<td><code>from_role_id</code></td>
-<td>One or more <code>role</code> or <code>attribute_role</code> identifiers that identify the current role. Multiple entries consist of a space separated list enclosed in braces '{}'.</td>
-</tr>
-<tr>
-<td><code>to_role_id</code></td>
-<td>One or more <code>role</code> or <code>attribute_role</code> identifiers that identify the current role. Multiple entries consist of a space separated list enclosed in braces '{}'.</td>
-</tr>
-</tbody>
-</table>
+*allow*
+
+The role *allow* rule keyword.
+
+*from_role_id*
+
+One or more *role* or *attribute_role* identifiers that identify the current
+role. Multiple entries consist of a space separated list enclosed in braces '{}'.
+
+*to_role_id*
+
+One or more *role* or *attribute_role* identifiers that identify the current
+role. Multiple entries consist of a space separated list enclosed in braces '{}'.
 
 **The statement is valid in:**
 
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy       | Base Policy             | Module Policy           |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes                     | Yes                     | Yes                     |
+
+Conditional Policy Statements
+
+| *if* Statement          | *optional* Statement    | *require* Statement     |
+| ----------------------- | ----------------------- | ----------------------- |
+| No                      | Yes                     | No                      |
 
 **Example:**
 
@@ -321,57 +265,43 @@ role_transition current_role_id type_id : class new_role_id;
 
 **Where:**
 
-<table>
-<tbody>
-<tr>
-<td><code>role_transition</code></td>
-<td>The <code>role_transition</code> keyword.</td>
-</tr>
-<tr>
-<td><code>current_role_id</code></td>
-<td>One or more <code>role</code> or <code>attribute_role</code> identifiers that identify the current role. Multiple entries consist of a space separated list enclosed in braces '{}'.</td>
-</tr>
-<tr>
-<td><code>type_id</code></td>
-<td>One or more <code>type</code>, <code>typealias</code> or <code>attribute</code> identifiers. Multiple entries consist of a space separated list enclosed in braces '{}'. Entries can be excluded from the list by using the negative operator '-'. </td>
-</tr>
-<tr>
-<td><code>class</code></td>
-<td>For policy versions &gt;= 25 an object <code>class</code> that applies to the role transition. If omitted defaults to the <code>process</code> object class.</td>
-</tr>
-<tr>
-<td><code>new_role_id</code></td>
-<td>A single <code>role</code> identifier that will become the new role. </td>
-</tr>
-</tbody>
-</table>
+*role_transition*
+
+The *role_transition* keyword.
+
+*current_role_id*
+
+One or more *role* or *attribute_role* identifiers that identify the current
+role. Multiple entries consist of a space separated list enclosed in braces '{}'.
+
+*type_id*
+
+One or more *type*, *typealias* or *attribute* identifiers. Multiple entries
+consist of a space separated list enclosed in braces '{}'. Entries can be
+excluded from the list by using the negative operator '-'.
+
+*class*
+
+For policy versions \>= 25 an object *class* that applies to the role
+transition. If omitted defaults to the *process* object class.
+
+*new_role_id*
+
+A single *role* identifier that will become the new role.
 
 **The statement is valid in:**
 
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy       | Base Policy             | Module Policy           |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes                     | Yes                     | Yes                     |
+
+Conditional Policy Statements
+
+| *if* Statement          | *optional* Statement    | *require* Statement     |
+| ----------------------- | ----------------------- | ----------------------- |
+| No                      | Yes                     | No                      |
 
 **Example:**
 
@@ -388,12 +318,12 @@ inherit all the type associations of the other roles.
 
 Notes:
 
-1.  There is another dominance rule for MLS (see the
-    [**MLS *dominance***](mls_statements.md#dominance) statement.
-2.  The role dominance rule is not used by the **Reference Policy** as
-    the policy manages role dominance using the
-    [***constrain***](constraint_statements.md#constraint-statements) statement.
-3.  Note the usage of braces '{}' and the ';' in the statement.
+1. There is another dominance rule for MLS (see the
+   [**MLS *dominance***](mls_statements.md#dominance) statement.
+2. The role dominance rule is not used by the **Reference Policy** as
+   the policy manages role dominance using the
+   [***constrain***](constraint_statements.md#constraint-statements) statement.
+3. Note the usage of braces '{}' and the ';' in the statement.
 
 **The statement definition is:**
 
@@ -401,55 +331,38 @@ Notes:
 dominance { role dom_role_id { role role_id; } }
 ```
 
-Where:
-
-<table>
-<tbody>
-<tr>
-<td><code>dominance</code></td>
-<td>The <code>dominance</code> keyword.</td>
-</tr>
-<tr>
-<td><code>role</code></td>
-<td>The <code>role</code> keyword.</td>
-</tr>
-<tr>
-<td><code>dom_role_id</code></td>
-<td>The dominant role identifier.</td>
-</tr>
-<tr>
-<td><code>role_id</code></td>
-<td>For the simple case each <code>{ role role_id; }</code> pair defines the <code>role_id</code> that will be dominated by the <code>dom_role_id</code>.</td>
-</tr>
-</tbody>
-</table>
+**Where:**
+
+*dominance*
+
+The *dominance* keyword.
+
+*role*
+
+The *role* keyword.
+
+*dom_role_id*
+
+The dominant role identifier.
+
+*role_id*
+
+For the simple case each *{ role role_id; }* pair defines the *role_id* that
+will be dominated by the *dom_role_id*.
 
 **The statement is valid in:**
 
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy       | Base Policy             | Module Policy           |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes                     | Yes                     | Yes                     |
+
+Conditional Policy Statements
+
+| *if* Statement          | *optional* Statement    | *require* Statement     |
+| ----------------------- | ----------------------- | ----------------------- |
+| No                      | Yes                     | No                      |
 
 **Example:**