From patchwork Wed May 3 12:03:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vit Mojzis X-Patchwork-Id: 13230127 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 590FBC7EE22 for ; Wed, 3 May 2023 12:06:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229643AbjECMGK (ORCPT ); Wed, 3 May 2023 08:06:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33434 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229672AbjECMGI (ORCPT ); Wed, 3 May 2023 08:06:08 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B9915592 for ; Wed, 3 May 2023 05:05:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1683115522; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RZjGLNUP4sS9m6sXEARGb2cqASz0ULXmjIO25ehRl4Q=; b=HbwfvOj8SW3wLt7yspBtctv4by9JEHqAbyqLVzj8DSB5M4+ZB3ZYZIfOgallvR//idPPZI KKsx1lZbNqxsJ1jiIcTn027OXwiK1KeDA1mTIGtGJ7x35SsIODtbbFtADroi+rO2HVUaaI IfUMbLa4rfs/2tN/9lFft6M1JgzpmSI= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-563-JihmGPSVOju-0jlVNdIedw-1; Wed, 03 May 2023 08:05:20 -0400 X-MC-Unique: JihmGPSVOju-0jlVNdIedw-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4EC743825BB0 for ; Wed, 3 May 2023 12:05:20 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.45.225.59]) by smtp.corp.redhat.com (Postfix) with ESMTP id E4ACF1410F29 for ; Wed, 3 May 2023 12:05:19 +0000 (UTC) From: Vit Mojzis To: selinux@vger.kernel.org Subject: [PATCH 1/3] python/chcat: Improve man pages Date: Wed, 3 May 2023 14:03:30 +0200 Message-Id: <20230503120332.699464-2-vmojzis@redhat.com> In-Reply-To: <20230503120332.699464-1-vmojzis@redhat.com> References: <20230503120332.699464-1-vmojzis@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org - Explain applying range/list of categories - "-d" removes all categories of given file/user - Add examples Signed-off-by: Vit Mojzis --- python/chcat/chcat.8 | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/python/chcat/chcat.8 b/python/chcat/chcat.8 index d095a255..ae65fef1 100644 --- a/python/chcat/chcat.8 +++ b/python/chcat/chcat.8 @@ -1,6 +1,6 @@ .TH CHCAT "8" "September 2005" "chcat" "User Commands" .SH NAME -chcat \- change file SELinux security category +chcat \- change SELinux security categories of files/users .SH SYNOPSIS .B chcat \fIcategory file\fR... @@ -25,23 +25,33 @@ chcat \- change file SELinux security category .br .SH DESCRIPTION .PP -Change/Remove the security \fIcategory\fR for each \fIfile\fR or \fIuser\fR. -.PP -Use +/- to add/remove categories from a \fIfile\fR or \fIuser\fR. +Use +/- to add/remove categories from a \fIfile\fR or \fIuser\fR (only a single category can be specified at a time). Or specify the desired list/range of categories to be applied (replacing the existing categories). .PP .B Note: -When removing a category you must specify '\-\-' on the command line before using the \-Category syntax. This tells the command that you have finished entering options and are now specifying a category name instead. +When removing a category you must specify '\-\-' on the command line before using the \-Category syntax. This tells the command that you have finished entering options and are now specifying a category name instead. .TP \fB\-d\fR -delete the category from each FILE/USER. +delete all categories from given FILE/USER. .TP \fB\-L\fR list available categories. .TP \fB\-l\fR Tells chcat to operate on users instead of files. + +.SH EXAMPLE +.nf +Replace categories of user "test" with c0.c6 +# chcat -l c0.c6 test +Add category c1023 to user "test" +# chcat -l +c1023 test +Remove category c5 from file "file" +# chcat -- -c5 file +Remove all categories from file "file" +# sudo chcat -d file + .SH "SEE ALSO" .TP chcon(1), selinux(8), semanage(8) @@ -52,4 +62,3 @@ When operating on files this script wraps the chcon command. /etc/selinux/{SELINUXTYPE}/setrans.conf .br /etc/selinux/{SELINUXTYPE}/seusers - From patchwork Wed May 3 12:03:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vit Mojzis X-Patchwork-Id: 13230126 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E2E65C77B7F for ; Wed, 3 May 2023 12:06:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229706AbjECMGJ (ORCPT ); Wed, 3 May 2023 08:06:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33442 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229643AbjECMGI (ORCPT ); Wed, 3 May 2023 08:06:08 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C990C558D for ; Wed, 3 May 2023 05:05:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1683115525; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xf9zsBEYmsgsZO0okODB3lcOUUm3bxhsaINBbj+PJds=; b=bFimXk3LnMmuRx3edQBb1RrR1/iWRunqg4YGLl/x+ER6FPQOyB1Ahp9biJOlwItfctW/7O eUuRoi9NGShQHh0p5Usg6+9jKm6IWVD1OFDcjtQIL3qdjhwTlMJJsRQOp6cbNkzB+8/SOq CA4GqTdHBcdY2jSyptLbYkAKGEVyRpo= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-602-Sazo9rLlOhGlj8Z78__czg-1; Wed, 03 May 2023 08:05:23 -0400 X-MC-Unique: Sazo9rLlOhGlj8Z78__czg-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 77D981066541 for ; Wed, 3 May 2023 12:05:23 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.45.225.59]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1AA291410F29 for ; Wed, 3 May 2023 12:05:22 +0000 (UTC) From: Vit Mojzis To: selinux@vger.kernel.org Subject: [PATCH 2/3] python/audit2allow: Add missing options to man page Date: Wed, 3 May 2023 14:03:31 +0200 Message-Id: <20230503120332.699464-3-vmojzis@redhat.com> In-Reply-To: <20230503120332.699464-1-vmojzis@redhat.com> References: <20230503120332.699464-1-vmojzis@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org --- python/audit2allow/audit2allow.1 | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/python/audit2allow/audit2allow.1 b/python/audit2allow/audit2allow.1 index 04ec3239..b7d30918 100644 --- a/python/audit2allow/audit2allow.1 +++ b/python/audit2allow/audit2allow.1 @@ -40,26 +40,36 @@ Read input from audit and message log, conflicts with \-i .TP .B "\-b" | "\-\-boot" -Read input from audit messages since last boot conflicts with \-i +Read input from audit messages since last boot, conflicts with \-i .TP .B "\-d" | "\-\-dmesg" -Read input from output of +Read input from output of .I /bin/dmesg. Note that all audit messages are not available via dmesg when auditd is running; use "ausearch \-m avc | audit2allow" or "\-a" instead. .TP +.B "\-\-debug" +Leave generated modules for -M +.TP .B "\-D" | "\-\-dontaudit" Generate dontaudit rules (Default: allow) .TP +.B "\-e" | "\-\-explain" +Fully explain generated output +.TP .B "\-h" | "\-\-help" Print a short usage message .TP .B "\-i " | "\-\-input " -read input from +Read input from .I .TP +.B "\-\-interface-info=" +Read interface information from +.I +.TP .B "\-l" | "\-\-lastreload" -read input only after last policy reload +Read input only after last policy reload .TP .B "\-m " | "\-\-module " Generate module/require output @@ -70,8 +80,12 @@ Generate loadable module package, conflicts with \-o .B "\-p " | "\-\-policy " Policy file to use for analysis .TP +.B "\-\-perm-map " +Read permission map from +.I +.TP .B "\-o " | "\-\-output " -append output to +Append output to .I .TP .B "\-r" | "\-\-requires" @@ -85,6 +99,9 @@ This is the default behavior. Generate reference policy using installed macros. This attempts to match denials against interfaces and may be inaccurate. .TP +.B "\-t " | "\-\-type=" +Only process messages with a type that matches this regex +.TP .B "\-x" | "\-\-xperms" Generate extended permission access vector rules .TP From patchwork Wed May 3 12:03:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vit Mojzis X-Patchwork-Id: 13230128 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D20CCC77B78 for ; Wed, 3 May 2023 12:06:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229901AbjECMGR (ORCPT ); Wed, 3 May 2023 08:06:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33456 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229672AbjECMGP (ORCPT ); Wed, 3 May 2023 08:06:15 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B43F55593 for ; Wed, 3 May 2023 05:05:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1683115528; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Hv5oWE8w7hW3FiMBQawhpjRSQpk1G0IqMK8OxLjvTwo=; b=RCvYctZchvUKby+yE4mrT+tRVH+qlBO2Em6DzcD5IZiQDXheFjIy4XVSk0B5cTDjBcwJG+ wYbBbkCwXX+VP6IYXRtthnoU6wByxAYSawkBUfN2XuumgZU+xi6xVd6L9lcyrMYgmOHz30 UEc+sSPGSf8l5pVZIgx0b2gnQw0WQ2E= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-626-Ho6UGhEyNHSbzZQB_05HBg-1; Wed, 03 May 2023 08:05:26 -0400 X-MC-Unique: Ho6UGhEyNHSbzZQB_05HBg-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8C00D101A531 for ; Wed, 3 May 2023 12:05:26 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.45.225.59]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0FF401410F29 for ; Wed, 3 May 2023 12:05:25 +0000 (UTC) From: Vit Mojzis To: selinux@vger.kernel.org Subject: [PATCH 3/3] python/semanage: Improve man pages Date: Wed, 3 May 2023 14:03:32 +0200 Message-Id: <20230503120332.699464-4-vmojzis@redhat.com> In-Reply-To: <20230503120332.699464-1-vmojzis@redhat.com> References: <20230503120332.699464-1-vmojzis@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org - Add missing options - Add more examples - Note special cases --- python/semanage/semanage-boolean.8 | 9 ++++++--- python/semanage/semanage-dontaudit.8 | 8 +++++--- python/semanage/semanage-export.8 | 10 +++++++++- python/semanage/semanage-fcontext.8 | 15 ++++++++++----- python/semanage/semanage-ibendport.8 | 6 ++++-- python/semanage/semanage-ibpkey.8 | 6 ++++-- python/semanage/semanage-import.8 | 10 +++++++++- python/semanage/semanage-interface.8 | 8 ++++++-- python/semanage/semanage-login.8 | 14 ++++++++------ python/semanage/semanage-module.8 | 15 ++++++++++----- python/semanage/semanage-node.8 | 16 +++++++++++++--- python/semanage/semanage-permissive.8 | 8 +++++--- python/semanage/semanage-port.8 | 10 ++++++---- python/semanage/semanage-user.8 | 8 +++++--- 14 files changed, 100 insertions(+), 43 deletions(-) diff --git a/python/semanage/semanage-boolean.8 b/python/semanage/semanage-boolean.8 index 1282d106..3b664023 100644 --- a/python/semanage/semanage-boolean.8 +++ b/python/semanage/semanage-boolean.8 @@ -7,11 +7,14 @@ semanage\-boolean \- SELinux Policy Management boolean tool .SH "DESCRIPTION" semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation -from policy sources. semanage boolean command controls the settings of booleans in SELinux policy. booleans are if\-then\-else rules written in SELinux Policy. They can be used to customize the way that SELinux Policy rules effect a confined domain. +from policy sources. +.B semanage boolean +command controls the settings of booleans in SELinux policy. Booleans are if\-then\-else rules written in SELinux Policy. They can be used to customize the way that SELinux Policy rules effect a confined domain. + .SH "OPTIONS" .TP .I \-h, \-\-help -show this help message and exit +Show this help message and exit .TP .I \-n, \-\-noheading Do not print heading when listing the specified object type @@ -45,7 +48,7 @@ Disable the boolean .SH EXAMPLE .nf -Turn on the apache can send mail boolean +Turn on the "apache can send mail" boolean (persistent version of #setsebool httpd_can_sendmail on) # semanage boolean \-m \-\-on httpd_can_sendmail List customized booleans diff --git a/python/semanage/semanage-dontaudit.8 b/python/semanage/semanage-dontaudit.8 index 81accc6f..51d1f4b6 100644 --- a/python/semanage/semanage-dontaudit.8 +++ b/python/semanage/semanage-dontaudit.8 @@ -7,13 +7,15 @@ .SH "DESCRIPTION" semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation -from policy sources. semanage dontaudit toggles whether or not dontaudit rules will be in the policy. Policy writers use dontaudit rules to cause -confined applications to use alternative paths. Dontaudit rules are denied but not reported in the logs. Some times dontaudit rules can cause bugs in applications but policy writers will not realize it since the AVC is not audited. Turning off dontaudit rules with this command to see if the kernel is blocking an access. +from policy sources. +.B semanage dontaudit +toggles whether or not dontaudit rules will be in the policy. Policy writers use dontaudit rules to cause +confined applications to use alternative paths. Dontaudit rules are denied but not reported in the logs. Sometimes dontaudit rules can cause bugs in applications but policy writers will not realize it since the AVC is not audited. Turn off dontaudit rules with this command to see if the kernel is blocking an access. .SH "OPTIONS" .TP .I \-h, \-\-help -show this help message and exit +Show this help message and exit .TP .I \-S STORE, \-\-store STORE Select an alternate SELinux Policy Store to manage diff --git a/python/semanage/semanage-export.8 b/python/semanage/semanage-export.8 index d422683b..b25b186d 100644 --- a/python/semanage/semanage-export.8 +++ b/python/semanage/semanage-export.8 @@ -7,7 +7,15 @@ .SH "DESCRIPTION" semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation -from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a whole group of semanage commands within a file and apply them to a machine in a single transaction. +from policy sources. +.B semanage import +and +.B export +can be used to extract the SELinux modifications from one machine and apply them to another. Please note that this will remove all current semanage customisations on the second machine as the command list generated using +.B semanage export +start with +.I -D +for all semanage sub-commands. You can put a whole group of semanage commands within a file and apply them to a machine in a single transaction. .SH "OPTIONS" .TP diff --git a/python/semanage/semanage-fcontext.8 b/python/semanage/semanage-fcontext.8 index 1ebf085f..4339aec9 100644 --- a/python/semanage/semanage-fcontext.8 +++ b/python/semanage/semanage-fcontext.8 @@ -8,8 +8,10 @@ semanage\-fcontext \- SELinux Policy Management file context tool .SH "DESCRIPTION" semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation -from policy sources. semanage fcontext is used to manage the default -file system labeling on an SELinux system. This command maps file paths using regular expressions to SELinux labels. +from policy sources. +.B semanage fcontext +is used to manage the default file system labeling on an SELinux system. +This command maps file paths using regular expressions to SELinux labels. FILE_SPEC may contain either a fully qualified path, or a Perl compatible regular expression (PCRE), @@ -32,7 +34,7 @@ to avoid unintentionally impacting other parts of the filesystem. .SH "OPTIONS" .TP .I \-h, \-\-help -show this help message and exit +Show this help message and exit .TP .I \-n, \-\-noheading Do not print heading when listing the specified object type @@ -83,11 +85,12 @@ MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login ma .SH EXAMPLE .nf .I remember to run restorecon after you set the file context -Add file-context for everything under /web +Add file-context httpd_sys_content_t for everything under /web # semanage fcontext \-a \-t httpd_sys_content_t "/web(/.*)?" # restorecon \-R \-v /web Substitute /home1 with /home when setting file context +i.e. label everything under /home1 the same way /home is labeled # semanage fcontext \-a \-e /home /home1 # restorecon \-R \-v /home1 @@ -99,7 +102,9 @@ execute the following commands. .SH "SEE ALSO" .BR selinux (8), -.BR semanage (8) +.BR semanage (8), +.BR restorecon (8), +.BR selabel_file (5) .SH "AUTHOR" This man page was written by Daniel Walsh diff --git a/python/semanage/semanage-ibendport.8 b/python/semanage/semanage-ibendport.8 index 0a29eae1..53fe4ee8 100644 --- a/python/semanage/semanage-ibendport.8 +++ b/python/semanage/semanage-ibendport.8 @@ -5,12 +5,14 @@ .B semanage ibendport [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t TYPE \-z IBDEV_NAME \-r RANGE port | \-\-delete \-z IBDEV_NAME port | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-z IBDEV_NAME \-r RANGE port ] .SH "DESCRIPTION" -semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage ibendport controls the ibendport number to ibendport type definitions. +semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. +.B semanage ibendport +controls the ibendport number to ibendport type definitions. .SH "OPTIONS" .TP .I \-h, \-\-help -show this help message and exit +Show this help message and exit .TP .I \-n, \-\-noheading Do not print heading when listing the specified object type diff --git a/python/semanage/semanage-ibpkey.8 b/python/semanage/semanage-ibpkey.8 index 51f455ab..6cc5e02f 100644 --- a/python/semanage/semanage-ibpkey.8 +++ b/python/semanage/semanage-ibpkey.8 @@ -5,12 +5,14 @@ .B semanage ibpkey [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t TYPE \-x SUBNET_PREFIX \-r RANGE ibpkey_name | ibpkey_range | \-\-delete \-x SUBNET_PREFIX ibpkey_name | ibpkey_range | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-x SUBNET_PREFIX \-r RANGE ibpkey_name | ibpkey_range ] .SH "DESCRIPTION" -semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage ibpkey controls the ibpkey number to ibpkey type definitions. +semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. +.B semanage ibpkey +controls the ibpkey number to ibpkey type definitions. .SH "OPTIONS" .TP .I \-h, \-\-help -show this help message and exit +Show this help message and exit .TP .I \-n, \-\-noheading Do not print heading when listing the specified object type diff --git a/python/semanage/semanage-import.8 b/python/semanage/semanage-import.8 index 4a9b3e76..47e69b99 100644 --- a/python/semanage/semanage-import.8 +++ b/python/semanage/semanage-import.8 @@ -7,7 +7,15 @@ .SH "DESCRIPTION" semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation -from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a whole group of semanage commands within a file and apply them to a machine in a single transaction. +from policy sources. +.B semanage import +and +.B export +can be used to extract the SELinux modifications from one machine and apply them to another. Please note that this will remove all current semanage customisations on the second machine as the command list generated using +.B semanage export +start with +.I -D +for all semanage sub-commands. You can put a whole group of semanage commands within a file and apply them to a machine in a single transaction. .SH "OPTIONS" .TP diff --git a/python/semanage/semanage-interface.8 b/python/semanage/semanage-interface.8 index d9d526dc..080db70b 100644 --- a/python/semanage/semanage-interface.8 +++ b/python/semanage/semanage-interface.8 @@ -7,12 +7,14 @@ .SH "DESCRIPTION" semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation -from policy sources. semanage interface controls the labels assigned to network interfaces. +from policy sources. +.B semanage interface +controls the labels assigned to network interfaces. .SH "OPTIONS" .TP .I \-h, \-\-help -show this help message and exit +Show this help message and exit .TP .I \-n, \-\-noheading Do not print heading when listing the specified object type @@ -54,6 +56,8 @@ MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login ma .nf list all interface definitions # semanage interface \-l +Assign type netif_t and MLS/MCS range s0:c0.c1023 to interface eth0 +# semanage interface \-a \-t netif_t \-r s0:c0.c1023 eth0 .SH "SEE ALSO" .BR selinux (8), diff --git a/python/semanage/semanage-login.8 b/python/semanage/semanage-login.8 index f451bdc6..9076a1ed 100644 --- a/python/semanage/semanage-login.8 +++ b/python/semanage/semanage-login.8 @@ -7,12 +7,14 @@ .SH "DESCRIPTION" semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation -from policy sources. semanage login controls the mapping between a Linux User and the SELinux User. It can be used to turn on confined users. For example you could define that a particular user or group of users will login to a system as the user_u user. Prefix the group name with a '%' sign to indicate a group name. +from policy sources. +.B semanage login +controls the mapping between a Linux User and the SELinux User. It can be used to turn on confined users. For example you could define that a particular user or group of users will login to a system as the user_u user. Prefix the group name with a '%' sign to indicate a group name. .SH "OPTIONS" .TP .I \-h, \-\-help -show this help message and exit +Show this help message and exit .TP .I \-n, \-\-noheading Do not print heading when listing the specified object type @@ -52,11 +54,11 @@ MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login ma .SH EXAMPLE .nf -Modify the default user on the system to the guest_u user +Set the default SELinux user on the system to guest_u # semanage login \-m \-s guest_u __default__ -Assign gijoe user on an MLS machine a range and to the staff_u user -# semanage login \-a \-s staff_u \-rSystemLow-Secret gijoe -Assign all users in the engineering group to the staff_u user +Map user gijoe to SELinux user staff_u and assign MLS range SystemLow\-Secret +# semanage login \-a \-s staff_u \-rSystemLow\-Secret gijoe +Map all users in the engineering group to SELinux user staff_u # semanage login \-a \-s staff_u %engineering .SH "SEE ALSO" diff --git a/python/semanage/semanage-module.8 b/python/semanage/semanage-module.8 index e0057167..6913b0cd 100644 --- a/python/semanage/semanage-module.8 +++ b/python/semanage/semanage-module.8 @@ -5,12 +5,14 @@ .B semanage module [\-h] [\-n] [\-N] [\-S STORE] (\-a | \-r | \-e | \-d | \-\-extract | \-\-list [\-C] | \-\-deleteall) [module_name] .SH "DESCRIPTION" -semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage module installs, removes, disables SELinux Policy modules. +semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. +.B semanage module +installs, removes, disables, or enables SELinux Policy modules. .SH "OPTIONS" .TP .I \-h, \-\-help -show this help message and exit +Show this help message and exit .TP .I \-n, \-\-noheading Do not print heading when listing the specified object type @@ -22,11 +24,14 @@ Do not reload policy after commit Select an alternate SELinux Policy Store to manage .TP .I \-a, \-\-add -Install specified module +Install specified module. Accepts both binary policy files (.pp) and CIL source files .TP .I \-r, \-\-remove Remove specified module .TP +.I \-D, \-\-deleteall +Remove all local customizations related to modules +.TP .I \-d \-\-disable Disable specified module .TP @@ -48,8 +53,8 @@ List all modules # semanage module \-l Disable unconfined module # semanage module \-\-disable unconfined -Install custom apache policy module -# semanage module \-a myapache +Install custom apache policy module (same as #semodule -i myapache.pp) +# semanage module \-a myapache.pp .SH "SEE ALSO" .BR selinux (8), diff --git a/python/semanage/semanage-node.8 b/python/semanage/semanage-node.8 index a0098221..c78d6c3e 100644 --- a/python/semanage/semanage-node.8 +++ b/python/semanage/semanage-node.8 @@ -7,12 +7,14 @@ .SH "DESCRIPTION" semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation -from policy sources. semanage controls the ipaddress to node type definitions. +from policy sources. +.B semanage node +controls the IP address to node type definitions. .SH "OPTIONS" .TP .I \-h, \-\-help -show this help message and exit +Show this help message and exit .TP .I \-n, \-\-noheading Do not print heading when listing the specified object type @@ -54,5 +56,13 @@ SELinux type for the object MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0. .TP .I \-p PROTO, \-\-proto PROTO - Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6). + +.SH "EXAMPLE" +.nf +Apply type node_t to ipv4 node 127.0.0.2 +# semanage node \-a \-t node_t \-p ipv4 \-M 255.255.255.255 127.0.0.2 + +.SH "SEE ALSO" +.BR selinux (8), +.BR semanage (8) diff --git a/python/semanage/semanage-permissive.8 b/python/semanage/semanage-permissive.8 index 5c3364fa..0414a850 100644 --- a/python/semanage/semanage-permissive.8 +++ b/python/semanage/semanage-permissive.8 @@ -5,12 +5,14 @@ .B semanage permissive [\-h] [\-n] [\-N] [\-S STORE] (\-\-add TYPE | \-\-delete TYPE | \-\-deleteall | \-\-extract | \-\-list) .SH "DESCRIPTION" -semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage permissive adds or removes a SELinux Policy permissive module. +semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. +.B semanage permissive +adds or removes a SELinux Policy permissive module. Please note that this command can make any domain permissive, but can only remove the permissive property from domains where it was added by semanage permissive ("semanage permissive -d" can only be used on types listed as "Customized Permissive Types" by "semanage permissive -l"). .SH "OPTIONS" .TP .I \-h, \-\-help -show this help message and exit +Show this help message and exit .TP .I \-a, \-\-add Add a record of the specified object type @@ -38,7 +40,7 @@ Select an alternate SELinux Policy Store to manage .SH EXAMPLE .nf -List all permissive modules +List all permissive domains ("Builtin Permissive Types" where set by the system policy, or a custom policy module) # semanage permissive \-l Make httpd_t (Web Server) a permissive domain # semanage permissive \-a httpd_t diff --git a/python/semanage/semanage-port.8 b/python/semanage/semanage-port.8 index 12ec14c2..c6048660 100644 --- a/python/semanage/semanage-port.8 +++ b/python/semanage/semanage-port.8 @@ -5,12 +5,14 @@ .B semanage port [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range | \-\-delete \-p PROTOCOL port_name | port_range | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range ] .SH "DESCRIPTION" -semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage port controls the port number to port type definitions. +semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. +.B semanage port +controls the port number to port type definitions. .SH "OPTIONS" .TP .I \-h, \-\-help -show this help message and exit +Show this help message and exit .TP .I \-n, \-\-noheading Do not print heading when listing the specified object type @@ -55,9 +57,9 @@ Protocol for the specified port (tcp|udp|dccp|sctp) or internet protocol version .nf List all port definitions # semanage port \-l -Allow Apache to listen on tcp port 81 +Allow Apache to listen on tcp port 81 (i.e. assign tcp port 81 label http_port_t, which apache is allowed to listen on) # semanage port \-a \-t http_port_t \-p tcp 81 -Allow sshd to listen on tcp port 8991 +Allow sshd to listen on tcp port 8991 (i.e. assign tcp port 8991 label ssh_port_t, which sshd is allowed to listen on) # semanage port \-a \-t ssh_port_t \-p tcp 8991 .SH "SEE ALSO" diff --git a/python/semanage/semanage-user.8 b/python/semanage/semanage-user.8 index 23fec698..50d50bea 100644 --- a/python/semanage/semanage-user.8 +++ b/python/semanage/semanage-user.8 @@ -7,12 +7,14 @@ .SH "DESCRIPTION" semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation -from policy sources. semanage user controls the mapping between an SELinux User and the roles and MLS/MCS levels. +from policy sources. +.B semanage user +controls the mapping between an SELinux User and the roles and MLS/MCS levels. .SH "OPTIONS" .TP .I \-h, \-\-help -show this help message and exit +Show this help message and exit .TP .I \-n, \-\-noheading Do not print heading when listing the specified object type @@ -59,7 +61,7 @@ List SELinux users # semanage user \-l Modify groups for staff_u user # semanage user \-m \-R "system_r unconfined_r staff_r" staff_u -Add level for TopSecret Users +Assign user topsecret_u role staff_r and range s0\-TopSecret # semanage user \-a \-R "staff_r" \-rs0\-TopSecret topsecret_u .SH "SEE ALSO"