* policycoreutils manpages needed @ 2011-09-01 5:09 Russell Coker 2011-09-01 13:42 ` Daniel J Walsh 0 siblings, 1 reply; 14+ messages in thread From: Russell Coker @ 2011-09-01 5:09 UTC (permalink / raw) To: SE-Linux Has anyone written manpages for genhomedircon, sepolgen-ifgen, and seunshare? If not is there someone with some spare time and man page writing skill? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: policycoreutils manpages needed 2011-09-01 5:09 policycoreutils manpages needed Russell Coker @ 2011-09-01 13:42 ` Daniel J Walsh 2011-09-01 21:21 ` Guido Trentalancia 2011-09-12 4:48 ` [PATCH] genhomedircon installation and manual page improvements (was Re: policycoreutils manpages needed) Guido Trentalancia 0 siblings, 2 replies; 14+ messages in thread From: Daniel J Walsh @ 2011-09-01 13:42 UTC (permalink / raw) To: russell; +Cc: SE-Linux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/01/2011 01:09 AM, Russell Coker wrote: > Has anyone written manpages for genhomedircon, sepolgen-ifgen, and > seunshare? If not is there someone with some spare time and man > page writing skill? > We have man pages for genhomedircon and seunshare. Although the genhomedircon man page is rather sparse. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5fi6YACgkQrlYvE4MpobOx7wCg6Q4RtrGnq6YgSzA0ELPVoaDI PLIAoM05zLB/mrjlpGWI79ZuVxs4/u4n =MvjL -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: policycoreutils manpages needed 2011-09-01 13:42 ` Daniel J Walsh @ 2011-09-01 21:21 ` Guido Trentalancia 2011-09-02 1:52 ` Eric Paris 2011-09-12 4:48 ` [PATCH] genhomedircon installation and manual page improvements (was Re: policycoreutils manpages needed) Guido Trentalancia 1 sibling, 1 reply; 14+ messages in thread From: Guido Trentalancia @ 2011-09-01 21:21 UTC (permalink / raw) To: Daniel J Walsh; +Cc: russell, SE-Linux On Thu, 2011-09-01 at 09:42 -0400, Daniel J Walsh wrote: > On 09/01/2011 01:09 AM, Russell Coker wrote: > > Has anyone written manpages for genhomedircon, sepolgen-ifgen, and > > seunshare? If not is there someone with some spare time and man > > page writing skill? > > > We have man pages for genhomedircon and seunshare. Although the > genhomedircon man page is rather sparse. If help is needed for manual pages, I can have a look and spare some time. I can start with genhomedircon as suggested by Dan unless other ideas are brought forward... Regards, Guido -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: policycoreutils manpages needed 2011-09-01 21:21 ` Guido Trentalancia @ 2011-09-02 1:52 ` Eric Paris 2011-09-12 21:28 ` Guido Trentalancia 0 siblings, 1 reply; 14+ messages in thread From: Eric Paris @ 2011-09-02 1:52 UTC (permalink / raw) To: Guido Trentalancia; +Cc: Daniel J Walsh, russell, SE-Linux On Thu, Sep 1, 2011 at 5:21 PM, Guido Trentalancia <guido@trentalancia.com> wrote: > On Thu, 2011-09-01 at 09:42 -0400, Daniel J Walsh wrote: >> On 09/01/2011 01:09 AM, Russell Coker wrote: >> > Has anyone written manpages for genhomedircon, sepolgen-ifgen, and >> > seunshare? If not is there someone with some spare time and man >> > page writing skill? >> > >> We have man pages for genhomedircon and seunshare. Although the >> genhomedircon man page is rather sparse. > > If help is needed for manual pages, I can have a look and spare some > time. I can start with genhomedircon as suggested by Dan unless other > ideas are brought forward... Just make sure you look at the 'queue' branch of the upstream repo rather than the 'master' branch. I'm pretty sure some of the man pages Dan mentioned only exist in the queue branch. -Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: policycoreutils manpages needed 2011-09-02 1:52 ` Eric Paris @ 2011-09-12 21:28 ` Guido Trentalancia 2011-09-12 22:03 ` Eric Paris ` (2 more replies) 0 siblings, 3 replies; 14+ messages in thread From: Guido Trentalancia @ 2011-09-12 21:28 UTC (permalink / raw) To: Eric Paris; +Cc: Daniel J Walsh, russell, SE-Linux Hi Eric ! On Thu, 2011-09-01 at 21:52 -0400, Eric Paris wrote: > On Thu, Sep 1, 2011 at 5:21 PM, Guido Trentalancia > <guido@trentalancia.com> wrote: > > On Thu, 2011-09-01 at 09:42 -0400, Daniel J Walsh wrote: > >> On 09/01/2011 01:09 AM, Russell Coker wrote: > >> > Has anyone written manpages for genhomedircon, sepolgen-ifgen, and > >> > seunshare? If not is there someone with some spare time and man > >> > page writing skill? > >> > > >> We have man pages for genhomedircon and seunshare. Although the > >> genhomedircon man page is rather sparse. > > > > If help is needed for manual pages, I can have a look and spare some > > time. I can start with genhomedircon as suggested by Dan unless other > > ideas are brought forward... > > Just make sure you look at the 'queue' branch of the upstream repo > rather than the 'master' branch. I'm pretty sure some of the man > pages Dan mentioned only exist in the queue branch. Apparently, there isn't a massive difference for the manual pages between the master and the queue branches. In particular there are no new manual pages being introduced in the queue branch (although there are some modifications to existing pages mainly due to modifications in the tools). I would like to take this opportunity to suggest that we create manual pages for configuration files where possible (none available at the moment ?!?). For example, the very first one I would like to have is semanage.conf.5. Then we could also create restorecond.conf.5 and restorecond_user.conf.5 (both of them should be trivial). There might be very slight improvements possible for the seunshare manual page. The manual pages for sepolgen* are missing and therefore will need to be created from scratch. The manual page for sandbox.8 could be improved by mentioning that a configuration file exists in $(DESTDIR)/etc/sysconfig/sandbox (along with a manual page sandbox.conf.5). That said, I am now going to start creating semanage.conf.5... Regards, Guido -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: policycoreutils manpages needed 2011-09-12 21:28 ` Guido Trentalancia @ 2011-09-12 22:03 ` Eric Paris 2011-09-13 5:00 ` [RFC] semanage.conf manual page (was Re: policycoreutils manpages needed) Guido Trentalancia 2011-09-16 7:26 ` policycoreutils manpages needed Guido Trentalancia 2 siblings, 0 replies; 14+ messages in thread From: Eric Paris @ 2011-09-12 22:03 UTC (permalink / raw) To: Guido Trentalancia; +Cc: Daniel J Walsh, russell, SE-Linux That sounds great! Thanks! -Eric On Mon, Sep 12, 2011 at 5:28 PM, Guido Trentalancia <guido@trentalancia.com> wrote: > I would like to take this opportunity to suggest that we create manual > pages for configuration files where possible (none available at the > moment ?!?). > > For example, the very first one I would like to have is > semanage.conf.5. > > Then we could also create restorecond.conf.5 and restorecond_user.conf.5 > (both of them should be trivial). > > There might be very slight improvements possible for the seunshare > manual page. The manual pages for sepolgen* are missing and therefore > will need to be created from scratch. The manual page for sandbox.8 > could be improved by mentioning that a configuration file exists in > $(DESTDIR)/etc/sysconfig/sandbox (along with a manual page > sandbox.conf.5). > > That said, I am now going to start creating semanage.conf.5... > > Regards, > > Guido > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* [RFC] semanage.conf manual page (was Re: policycoreutils manpages needed) 2011-09-12 21:28 ` Guido Trentalancia 2011-09-12 22:03 ` Eric Paris @ 2011-09-13 5:00 ` Guido Trentalancia 2011-09-13 5:27 ` Guido Trentalancia 2011-09-16 7:26 ` policycoreutils manpages needed Guido Trentalancia 2 siblings, 1 reply; 14+ messages in thread From: Guido Trentalancia @ 2011-09-13 5:00 UTC (permalink / raw) To: Eric Paris; +Cc: Daniel J Walsh, russell, SE-Linux So, here is a first new manual page that I propose to introduce: semanage.conf(5). On Mon, 2011-09-12 at 23:28 +0200, Guido Trentalancia wrote: > On Thu, 2011-09-01 at 21:52 -0400, Eric Paris wrote: > > On Thu, Sep 1, 2011 at 5:21 PM, Guido Trentalancia > > <guido@trentalancia.com> wrote: > > > On Thu, 2011-09-01 at 09:42 -0400, Daniel J Walsh wrote: > > >> On 09/01/2011 01:09 AM, Russell Coker wrote: > > >> > Has anyone written manpages for genhomedircon, sepolgen-ifgen, and > > >> > seunshare? If not is there someone with some spare time and man > > >> > page writing skill? [cut] > I would like to take this opportunity to suggest that we create manual > pages for configuration files where possible (none available at the > moment ?!?). > > For example, the very first one I would like to have is > semanage.conf.5. diff -pruN selinux/policycoreutils/semanage/semanage.conf.5 selinux-13092011-new-manual-pages/policycoreutils/semanage/semanage.conf.5 --- selinux/policycoreutils/semanage/semanage.conf.5 1970-01-01 01:00:00.000000000 +0100 +++ selinux-13092011-new-manual-pages/policycoreutils/semanage/semanage.conf.5 2011-09-13 06:54:47.309754193 +0200 @@ -0,0 +1,93 @@ +.TH semanage.conf "5" "September 2011" "semanage.conf" "Linux System Administration" +.SH NAME +semanage.conf \- global configuration file for the SELinux Management library +.SH DESCRIPTION +.PP +The +.BR semanage.conf +file is usually located under the directory /etc/selinux and it is used for run-time configuration of the +behavior of the SELinux Management library. + +.PP +Each line should contain a configuration parameter followed by the equal sign ("=") and then followed by the configuration value for that +parameter. Anything after the "#" symbol is ignored similarly to empty lines. + +.PP +The following parameters are allowed: + +.RS +.TP +.B module-store +Specify how the SELinux Management library should interact with the SELinux policy store. When set to "direct", the SELinux +Management library writes to the SELinux policy module store directly (this is the default setting). +Otherwise a socket path or a server name can be used for the argument. +If the argument begins with "/" (as in "/foo/bar"), it represents the path to a named socket that should be used to connect the policy management +server. +If the argument does not begin with a "/" (as in "foo.com:4242"), it should be interpreted as the name of a remote policy management server +to be used through a TCP connection (default port is 4242 unless a different one is specified after the server name using the colon to separate +the two fields). + +.TP +.B policy-version +When generating the policy, by default +.BR semanage +will set the policy version to POLICYDB_VERSION_MAX, as defined in <sepol/policydb/policydb.h>. Change this setting if a different +version needs to be set for the policy. + +.TP +.B expand-check +Whether or not to check "neverallow" rules when executing all +.BR semanage +command. It can be set to either "0" (disabled) or "1" (enabled) and by default it is enabled. There might be a large +penalty in execution time if this option is enabled. + +.TP +.B file-mode +By default the permission mode for the run-time policy files is set to 0644. + +.TP +.B save-previous +It controls whether the previous module directory is saved after a successful commit to the policy store and it can be set to +either "true" or "false". By default it is set to "false" (the previous version is deleted). + +.TP +.B save-linked +It controls whether the previously linked module is saved (with name "base.linked") after a successful commit to the policy store. +It can be set to either "true" or "false" and by default it is set to "false" (the previous module is deleted). + +.TP +.B usepasswd +Whether or not to enable the use getpwent() to obtain a list of home directories to label. It can be set to either "true" or "false". +By default it is set to "true". + +.TP +.B disable-genhomedircon +It controls whether or not the genhomedircon function is executed when using the +.BR semanage +command and it can be set to either "false" or "true". By default the genhomedircon functionality is enabled (equivalent +to this option set to "false"). + +.TP +.B handle-unknown +This option controls the kernel behavior for handling permissions defined in the kernel but missing from the actual policy. +It can be set to "deny", "reject" or "allow". + +.TP +.B bzip-blocksize +It should be in the range 0-9. A value of 0 means no compression. By default the bzip block size is set to 9 (actual block +size value is obtained after multiplication by 100000). + +.TP +.B bzip-small +When set to "true", the bzip algorithm shall try to reduce its system memory usage. It can be set to either "true" or "false" and +by default it is set to "false". + +.SH "SEE ALSO" +.TP +semanage(8) +.PP + +.SH AUTHOR +This manual page was written by Guido Trentalancia <guido@trentalancia.com>. + +The SELinux management library was written by Tresys Technology LLC and Red Hat Inc. Very simple, but possibly useful... Regards, Guido -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [RFC] semanage.conf manual page (was Re: policycoreutils manpages needed) 2011-09-13 5:00 ` [RFC] semanage.conf manual page (was Re: policycoreutils manpages needed) Guido Trentalancia @ 2011-09-13 5:27 ` Guido Trentalancia 2011-09-13 16:03 ` [RFC v2] semanage.conf manual page (was Re: [RFC] semanage.conf manual page) Guido Trentalancia 0 siblings, 1 reply; 14+ messages in thread From: Guido Trentalancia @ 2011-09-13 5:27 UTC (permalink / raw) To: Eric Paris; +Cc: Daniel J Walsh, russell, SELinux With the bits to install it: diff -pruN selinux-13092011-new/policycoreutils/semanage/Makefile selinux-13092011-new-manual-pages/policycoreutils/semanage/Makefile --- selinux-13092011-new/policycoreutils/semanage/Makefile 2011-09-13 03:10:39.427692261 +0200 +++ selinux-13092011-new-manual-pages/policycoreutils/semanage/Makefile 2011-09-13 07:22:46.159015090 +0200 @@ -11,9 +11,11 @@ TARGETS=semanage all: $(TARGETS) install: all + [ -d $(MANDIR)/man5 ] || mkdir -p $(MANDIR)/man5 [ -d $(MANDIR)/man8 ] || mkdir -p $(MANDIR)/man8 -mkdir -p $(SBINDIR) install -m 755 semanage $(SBINDIR) + install -m 644 semanage.conf.5 $(MANDIR)/man5 install -m 644 semanage.8 $(MANDIR)/man8 test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages On Tue, 2011-09-13 at 07:00 +0200, Guido Trentalancia wrote: > So, here is a first new manual page that I propose to introduce: > semanage.conf(5). > > On Mon, 2011-09-12 at 23:28 +0200, Guido Trentalancia wrote: > > On Thu, 2011-09-01 at 21:52 -0400, Eric Paris wrote: > > > On Thu, Sep 1, 2011 at 5:21 PM, Guido Trentalancia > > > <guido@trentalancia.com> wrote: > > > > On Thu, 2011-09-01 at 09:42 -0400, Daniel J Walsh wrote: > > > >> On 09/01/2011 01:09 AM, Russell Coker wrote: > > > >> > Has anyone written manpages for genhomedircon, sepolgen-ifgen, and > > > >> > seunshare? If not is there someone with some spare time and man > > > >> > page writing skill? > > [cut] > > > I would like to take this opportunity to suggest that we create manual > > pages for configuration files where possible (none available at the > > moment ?!?). > > > > For example, the very first one I would like to have is > > semanage.conf.5. > > diff -pruN selinux/policycoreutils/semanage/semanage.conf.5 selinux-13092011-new-manual-pages/policycoreutils/semanage/semanage.conf.5 > --- selinux/policycoreutils/semanage/semanage.conf.5 1970-01-01 01:00:00.000000000 +0100 > +++ selinux-13092011-new-manual-pages/policycoreutils/semanage/semanage.conf.5 2011-09-13 06:54:47.309754193 +0200 > @@ -0,0 +1,93 @@ > +.TH semanage.conf "5" "September 2011" "semanage.conf" "Linux System Administration" > +.SH NAME > +semanage.conf \- global configuration file for the SELinux Management library > +.SH DESCRIPTION > +.PP > +The > +.BR semanage.conf > +file is usually located under the directory /etc/selinux and it is used for run-time configuration of the > +behavior of the SELinux Management library. > + > +.PP > +Each line should contain a configuration parameter followed by the equal sign ("=") and then followed by the configuration value for that > +parameter. Anything after the "#" symbol is ignored similarly to empty lines. > + > +.PP > +The following parameters are allowed: > + > +.RS > +.TP > +.B module-store > +Specify how the SELinux Management library should interact with the SELinux policy store. When set to "direct", the SELinux > +Management library writes to the SELinux policy module store directly (this is the default setting). > +Otherwise a socket path or a server name can be used for the argument. > +If the argument begins with "/" (as in "/foo/bar"), it represents the path to a named socket that should be used to connect the policy management > +server. > +If the argument does not begin with a "/" (as in "foo.com:4242"), it should be interpreted as the name of a remote policy management server > +to be used through a TCP connection (default port is 4242 unless a different one is specified after the server name using the colon to separate > +the two fields). > + > +.TP > +.B policy-version > +When generating the policy, by default > +.BR semanage > +will set the policy version to POLICYDB_VERSION_MAX, as defined in <sepol/policydb/policydb.h>. Change this setting if a different > +version needs to be set for the policy. > + > +.TP > +.B expand-check > +Whether or not to check "neverallow" rules when executing all > +.BR semanage > +command. It can be set to either "0" (disabled) or "1" (enabled) and by default it is enabled. There might be a large > +penalty in execution time if this option is enabled. > + > +.TP > +.B file-mode > +By default the permission mode for the run-time policy files is set to 0644. > + > +.TP > +.B save-previous > +It controls whether the previous module directory is saved after a successful commit to the policy store and it can be set to > +either "true" or "false". By default it is set to "false" (the previous version is deleted). > + > +.TP > +.B save-linked > +It controls whether the previously linked module is saved (with name "base.linked") after a successful commit to the policy store. > +It can be set to either "true" or "false" and by default it is set to "false" (the previous module is deleted). > + > +.TP > +.B usepasswd > +Whether or not to enable the use getpwent() to obtain a list of home directories to label. It can be set to either "true" or "false". > +By default it is set to "true". > + > +.TP > +.B disable-genhomedircon > +It controls whether or not the genhomedircon function is executed when using the > +.BR semanage > +command and it can be set to either "false" or "true". By default the genhomedircon functionality is enabled (equivalent > +to this option set to "false"). > + > +.TP > +.B handle-unknown > +This option controls the kernel behavior for handling permissions defined in the kernel but missing from the actual policy. > +It can be set to "deny", "reject" or "allow". > + > +.TP > +.B bzip-blocksize > +It should be in the range 0-9. A value of 0 means no compression. By default the bzip block size is set to 9 (actual block > +size value is obtained after multiplication by 100000). > + > +.TP > +.B bzip-small > +When set to "true", the bzip algorithm shall try to reduce its system memory usage. It can be set to either "true" or "false" and > +by default it is set to "false". > + > +.SH "SEE ALSO" > +.TP > +semanage(8) > +.PP > + > +.SH AUTHOR > +This manual page was written by Guido Trentalancia <guido@trentalancia.com>. > + > +The SELinux management library was written by Tresys Technology LLC and Red Hat Inc. > > Very simple, but possibly useful... > > Regards, > > Guido > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [RFC v2] semanage.conf manual page (was Re: [RFC] semanage.conf manual page) 2011-09-13 5:27 ` Guido Trentalancia @ 2011-09-13 16:03 ` Guido Trentalancia 2011-09-15 4:51 ` [PATCH v3] semanage.conf manual page Guido Trentalancia 0 siblings, 1 reply; 14+ messages in thread From: Guido Trentalancia @ 2011-09-13 16:03 UTC (permalink / raw) To: Eric Paris; +Cc: russell, SELinux The new semanage.conf(5) manual page actually goes much better in the libsemanage directory... First introduce the support for the PREFIX variable in the Makefiles for libraries' manual pages: --- selinux/libselinux/man/Makefile 2011-09-09 20:12:55.982662190 +0200 +++ selinux-13092011-new-manual-pages/libselinux/man/Makefile 2011-09-13 17:48:46.300905476 +0200 @@ -1,7 +1,8 @@ # Installation directories. -MAN8DIR ?= $(DESTDIR)/usr/share/man/man8 -MAN5DIR ?= $(DESTDIR)/usr/share/man/man5 -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 +PREFIX ?= $(DESTDIR)/usr +MAN3DIR ?= $(PREFIX)/share/man/man3 +MAN5DIR ?= $(PREFIX)/share/man/man5 +MAN8DIR ?= $(PREFIX)/share/man/man8 install: mkdir -p $(MAN3DIR) @@ -10,4 +11,3 @@ install: install -m 644 man3/*.3 $(MAN3DIR) install -m 644 man5/*.5 $(MAN5DIR) install -m 644 man8/*.8 $(MAN8DIR) - --- selinux/libsepol/man/Makefile 2011-09-09 20:12:56.021662468 +0200 +++ selinux-13092011-new-manual-pages/libsepol/man/Makefile 2011-09-13 17:47:39.752630529 +0200 @@ -1,6 +1,7 @@ # Installation directories. -MAN8DIR ?= $(DESTDIR)/usr/share/man/man8 -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 +PREFIX ?= $(DESTDIR)/usr +MAN3DIR ?= $(PREFIX)/share/man/man3 +MAN8DIR ?= $(PREFIX)/share/man/man8 install: mkdir -p $(MAN3DIR) --- selinux/libsemanage/man/Makefile 2011-09-09 20:12:56.003662337 +0200 +++ selinux-13092011-new-manual-pages/libsemanage/man/Makefile 2011-09-13 17:46:49.324420640 +0200 @@ -1,7 +1,7 @@ # Installation directories. -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 +PREFIX ?= $(DESTDIR)/usr +MAN3DIR ?= $(PREFIX)/share/man/man3 install: mkdir -p $(MAN3DIR) install -m 644 man3/*.3 $(MAN3DIR) - Then introduce the new semanage.conf(5) manual page as appropriate: diff -pruN selinux-13092011-new-manual-pages/libsemanage/man/Makefile selinux-13092011-new-manual-pages-semanage.conf/libsemanage/man/Makefile --- selinux-13092011-new-manual-pages/libsemanage/man/Makefile 2011-09-13 17:46:49.324420640 +0200 +++ selinux-13092011-new-manual-pages-semanage.conf/libsemanage/man/Makefile 2011-09-13 17:52:46.605950570 +0200 @@ -1,7 +1,10 @@ # Installation directories. PREFIX ?= $(DESTDIR)/usr MAN3DIR ?= $(PREFIX)/share/man/man3 +MAN5DIR ?= $(PREFIX)/share/man/man5 install: mkdir -p $(MAN3DIR) + mkdir -p $(MAN5DIR) install -m 644 man3/*.3 $(MAN3DIR) + install -m 644 man5/*.5 $(MAN5DIR) diff -pruN selinux-13092011-new-manual-pages/libsemanage/man/man5/semanage.conf.5 selinux-13092011-new-manual-pages-semanage.conf/libsemanage/man/man5/semanage.conf.5 --- selinux-13092011-new-manual-pages/libsemanage/man/man5/semanage.conf.5 1970-01-01 01:00:00.000000000 +0100 +++ selinux-13092011-new-manual-pages-semanage.conf/libsemanage/man/man5/semanage.conf.5 2011-09-13 06:54:47.309754193 +0200 @@ -0,0 +1,93 @@ +.TH semanage.conf "5" "September 2011" "semanage.conf" "Linux System Administration" +.SH NAME +semanage.conf \- global configuration file for the SELinux Management library +.SH DESCRIPTION +.PP +The +.BR semanage.conf +file is usually located under the directory /etc/selinux and it is used for run-time configuration of the +behavior of the SELinux Management library. + +.PP +Each line should contain a configuration parameter followed by the equal sign ("=") and then followed by the configuration value for that +parameter. Anything after the "#" symbol is ignored similarly to empty lines. + +.PP +The following parameters are allowed: + +.RS +.TP +.B module-store +Specify how the SELinux Management library should interact with the SELinux policy store. When set to "direct", the SELinux +Management library writes to the SELinux policy module store directly (this is the default setting). +Otherwise a socket path or a server name can be used for the argument. +If the argument begins with "/" (as in "/foo/bar"), it represents the path to a named socket that should be used to connect the policy management +server. +If the argument does not begin with a "/" (as in "foo.com:4242"), it should be interpreted as the name of a remote policy management server +to be used through a TCP connection (default port is 4242 unless a different one is specified after the server name using the colon to separate +the two fields). + +.TP +.B policy-version +When generating the policy, by default +.BR semanage +will set the policy version to POLICYDB_VERSION_MAX, as defined in <sepol/policydb/policydb.h>. Change this setting if a different +version needs to be set for the policy. + +.TP +.B expand-check +Whether or not to check "neverallow" rules when executing all +.BR semanage +command. It can be set to either "0" (disabled) or "1" (enabled) and by default it is enabled. There might be a large +penalty in execution time if this option is enabled. + +.TP +.B file-mode +By default the permission mode for the run-time policy files is set to 0644. + +.TP +.B save-previous +It controls whether the previous module directory is saved after a successful commit to the policy store and it can be set to +either "true" or "false". By default it is set to "false" (the previous version is deleted). + +.TP +.B save-linked +It controls whether the previously linked module is saved (with name "base.linked") after a successful commit to the policy store. +It can be set to either "true" or "false" and by default it is set to "false" (the previous module is deleted). + +.TP +.B usepasswd +Whether or not to enable the use getpwent() to obtain a list of home directories to label. It can be set to either "true" or "false". +By default it is set to "true". + +.TP +.B disable-genhomedircon +It controls whether or not the genhomedircon function is executed when using the +.BR semanage +command and it can be set to either "false" or "true". By default the genhomedircon functionality is enabled (equivalent +to this option set to "false"). + +.TP +.B handle-unknown +This option controls the kernel behavior for handling permissions defined in the kernel but missing from the actual policy. +It can be set to "deny", "reject" or "allow". + +.TP +.B bzip-blocksize +It should be in the range 0-9. A value of 0 means no compression. By default the bzip block size is set to 9 (actual block +size value is obtained after multiplication by 100000). + +.TP +.B bzip-small +When set to "true", the bzip algorithm shall try to reduce its system memory usage. It can be set to either "true" or "false" and +by default it is set to "false". + +.SH "SEE ALSO" +.TP +semanage(8) +.PP + +.SH AUTHOR +This manual page was written by Guido Trentalancia <guido@trentalancia.com>. + +The SELinux management library was written by Tresys Technology LLC and Red Hat Inc. Regards, Guido On Tue, 2011-09-13 at 07:27 +0200, Guido Trentalancia wrote: > With the bits to install it: > > diff -pruN selinux-13092011-new/policycoreutils/semanage/Makefile selinux-13092011-new-manual-pages/policycoreutils/semanage/Makefile > --- selinux-13092011-new/policycoreutils/semanage/Makefile 2011-09-13 03:10:39.427692261 +0200 > +++ selinux-13092011-new-manual-pages/policycoreutils/semanage/Makefile 2011-09-13 07:22:46.159015090 +0200 > @@ -11,9 +11,11 @@ TARGETS=semanage > all: $(TARGETS) > > install: all > + [ -d $(MANDIR)/man5 ] || mkdir -p $(MANDIR)/man5 > [ -d $(MANDIR)/man8 ] || mkdir -p $(MANDIR)/man8 > -mkdir -p $(SBINDIR) > install -m 755 semanage $(SBINDIR) > + install -m 644 semanage.conf.5 $(MANDIR)/man5 > install -m 644 semanage.8 $(MANDIR)/man8 > test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages > install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages > > On Tue, 2011-09-13 at 07:00 +0200, Guido Trentalancia wrote: > > So, here is a first new manual page that I propose to introduce: > > semanage.conf(5). > > > > On Mon, 2011-09-12 at 23:28 +0200, Guido Trentalancia wrote: > > > On Thu, 2011-09-01 at 21:52 -0400, Eric Paris wrote: > > > > On Thu, Sep 1, 2011 at 5:21 PM, Guido Trentalancia > > > > <guido@trentalancia.com> wrote: > > > > > On Thu, 2011-09-01 at 09:42 -0400, Daniel J Walsh wrote: > > > > >> On 09/01/2011 01:09 AM, Russell Coker wrote: > > > > >> > Has anyone written manpages for genhomedircon, sepolgen-ifgen, and > > > > >> > seunshare? If not is there someone with some spare time and man > > > > >> > page writing skill? > > > > [cut] > > > > > I would like to take this opportunity to suggest that we create manual > > > pages for configuration files where possible (none available at the > > > moment ?!?). > > > > > > For example, the very first one I would like to have is > > > semanage.conf.5. > > > > diff -pruN selinux/policycoreutils/semanage/semanage.conf.5 selinux-13092011-new-manual-pages/policycoreutils/semanage/semanage.conf.5 > > --- selinux/policycoreutils/semanage/semanage.conf.5 1970-01-01 01:00:00.000000000 +0100 > > +++ selinux-13092011-new-manual-pages/policycoreutils/semanage/semanage.conf.5 2011-09-13 06:54:47.309754193 +0200 > > @@ -0,0 +1,93 @@ > > +.TH semanage.conf "5" "September 2011" "semanage.conf" "Linux System Administration" > > +.SH NAME > > +semanage.conf \- global configuration file for the SELinux Management library > > +.SH DESCRIPTION > > +.PP > > +The > > +.BR semanage.conf > > +file is usually located under the directory /etc/selinux and it is used for run-time configuration of the > > +behavior of the SELinux Management library. > > + > > +.PP > > +Each line should contain a configuration parameter followed by the equal sign ("=") and then followed by the configuration value for that > > +parameter. Anything after the "#" symbol is ignored similarly to empty lines. > > + > > +.PP > > +The following parameters are allowed: > > + > > +.RS > > +.TP > > +.B module-store > > +Specify how the SELinux Management library should interact with the SELinux policy store. When set to "direct", the SELinux > > +Management library writes to the SELinux policy module store directly (this is the default setting). > > +Otherwise a socket path or a server name can be used for the argument. > > +If the argument begins with "/" (as in "/foo/bar"), it represents the path to a named socket that should be used to connect the policy management > > +server. > > +If the argument does not begin with a "/" (as in "foo.com:4242"), it should be interpreted as the name of a remote policy management server > > +to be used through a TCP connection (default port is 4242 unless a different one is specified after the server name using the colon to separate > > +the two fields). > > + > > +.TP > > +.B policy-version > > +When generating the policy, by default > > +.BR semanage > > +will set the policy version to POLICYDB_VERSION_MAX, as defined in <sepol/policydb/policydb.h>. Change this setting if a different > > +version needs to be set for the policy. > > + > > +.TP > > +.B expand-check > > +Whether or not to check "neverallow" rules when executing all > > +.BR semanage > > +command. It can be set to either "0" (disabled) or "1" (enabled) and by default it is enabled. There might be a large > > +penalty in execution time if this option is enabled. > > + > > +.TP > > +.B file-mode > > +By default the permission mode for the run-time policy files is set to 0644. > > + > > +.TP > > +.B save-previous > > +It controls whether the previous module directory is saved after a successful commit to the policy store and it can be set to > > +either "true" or "false". By default it is set to "false" (the previous version is deleted). > > + > > +.TP > > +.B save-linked > > +It controls whether the previously linked module is saved (with name "base.linked") after a successful commit to the policy store. > > +It can be set to either "true" or "false" and by default it is set to "false" (the previous module is deleted). > > + > > +.TP > > +.B usepasswd > > +Whether or not to enable the use getpwent() to obtain a list of home directories to label. It can be set to either "true" or "false". > > +By default it is set to "true". > > + > > +.TP > > +.B disable-genhomedircon > > +It controls whether or not the genhomedircon function is executed when using the > > +.BR semanage > > +command and it can be set to either "false" or "true". By default the genhomedircon functionality is enabled (equivalent > > +to this option set to "false"). > > + > > +.TP > > +.B handle-unknown > > +This option controls the kernel behavior for handling permissions defined in the kernel but missing from the actual policy. > > +It can be set to "deny", "reject" or "allow". > > + > > +.TP > > +.B bzip-blocksize > > +It should be in the range 0-9. A value of 0 means no compression. By default the bzip block size is set to 9 (actual block > > +size value is obtained after multiplication by 100000). > > + > > +.TP > > +.B bzip-small > > +When set to "true", the bzip algorithm shall try to reduce its system memory usage. It can be set to either "true" or "false" and > > +by default it is set to "false". > > + > > +.SH "SEE ALSO" > > +.TP > > +semanage(8) > > +.PP > > + > > +.SH AUTHOR > > +This manual page was written by Guido Trentalancia <guido@trentalancia.com>. > > + > > +The SELinux management library was written by Tresys Technology LLC and Red Hat Inc. > > > > Very simple, but possibly useful... > > > > Regards, > > > > Guido -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH v3] semanage.conf manual page 2011-09-13 16:03 ` [RFC v2] semanage.conf manual page (was Re: [RFC] semanage.conf manual page) Guido Trentalancia @ 2011-09-15 4:51 ` Guido Trentalancia 2011-09-19 11:30 ` Daniel J Walsh 0 siblings, 1 reply; 14+ messages in thread From: Guido Trentalancia @ 2011-09-15 4:51 UTC (permalink / raw) To: Eric Paris; +Cc: russell, SELinux An updated version of this patch is now available because the previous patch was no longer applying cleanly after a few Makefiles had been changed: Create a manual page for semanage.conf (section 5). Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- diff -pruN selinux-14092011-patch-v5-do-not-modify-library-link-creation/libselinux/man/Makefile selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libselinux/man/Makefile --- selinux-14092011-patch-v5-do-not-modify-library-link-creation/libselinux/man/Makefile 2011-09-15 05:21:20.959262094 +0200 +++ selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libselinux/man/Makefile 2011-09-15 06:38:01.739574479 +0200 @@ -1,7 +1,8 @@ # Installation directories. -MAN8DIR ?= $(DESTDIR)/usr/share/man/man8 -MAN5DIR ?= $(DESTDIR)/usr/share/man/man5 -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 +PREFIX ?= $(DESTDIR)/usr +MAN3DIR ?= $(PREFIX)/share/man/man3 +MAN5DIR ?= $(PREFIX)/share/man/man5 +MAN8DIR ?= $(PREFIX)/share/man/man8 all: @@ -12,4 +13,3 @@ install: install -m 644 man3/*.3 $(MAN3DIR) install -m 644 man5/*.5 $(MAN5DIR) install -m 644 man8/*.8 $(MAN8DIR) - diff -pruN selinux-14092011-patch-v5-do-not-modify-library-link-creation/libselinux/man/Makefile.orig selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libselinux/man/Makefile.orig --- selinux-14092011-patch-v5-do-not-modify-library-link-creation/libselinux/man/Makefile.orig 1970-01-01 01:00:00.000000000 +0100 +++ selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libselinux/man/Makefile.orig 2011-09-15 06:28:17.238120345 +0200 @@ -0,0 +1,15 @@ +# Installation directories. +MAN8DIR ?= $(DESTDIR)/usr/share/man/man8 +MAN5DIR ?= $(DESTDIR)/usr/share/man/man5 +MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 + +all: + +install: + mkdir -p $(MAN3DIR) + mkdir -p $(MAN5DIR) + mkdir -p $(MAN8DIR) + install -m 644 man3/*.3 $(MAN3DIR) + install -m 644 man5/*.5 $(MAN5DIR) + install -m 644 man8/*.8 $(MAN8DIR) + diff -pruN selinux-14092011-patch-v5-do-not-modify-library-link-creation/libsemanage/man/Makefile selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libsemanage/man/Makefile --- selinux-14092011-patch-v5-do-not-modify-library-link-creation/libsemanage/man/Makefile 2011-09-15 05:21:20.959262094 +0200 +++ selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libsemanage/man/Makefile 2011-09-15 06:42:00.734396974 +0200 @@ -1,9 +1,12 @@ # Installation directories. -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 +PREFIX ?= $(DESTDIR)/usr +MAN3DIR ?= $(PREFIX)/share/man/man3 +MAN5DIR ?= $(PREFIX)/share/man/man5 all: install: mkdir -p $(MAN3DIR) + mkdir -p $(MAN5DIR) install -m 644 man3/*.3 $(MAN3DIR) - + install -m 644 man5/*.5 $(MAN5DIR) diff -pruN selinux-14092011-patch-v5-do-not-modify-library-link-creation/libsemanage/man/man5/semanage.conf.5 selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libsemanage/man/man5/semanage.conf.5 --- selinux-14092011-patch-v5-do-not-modify-library-link-creation/libsemanage/man/man5/semanage.conf.5 1970-01-01 01:00:00.000000000 +0100 +++ selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libsemanage/man/man5/semanage.conf.5 2011-09-15 06:42:41.066704601 +0200 @@ -0,0 +1,93 @@ +.TH semanage.conf "5" "September 2011" "semanage.conf" "Linux System Administration" +.SH NAME +semanage.conf \- global configuration file for the SELinux Management library +.SH DESCRIPTION +.PP +The +.BR semanage.conf +file is usually located under the directory /etc/selinux and it is used for run-time configuration of the +behavior of the SELinux Management library. + +.PP +Each line should contain a configuration parameter followed by the equal sign ("=") and then followed by the configuration value for that +parameter. Anything after the "#" symbol is ignored similarly to empty lines. + +.PP +The following parameters are allowed: + +.RS +.TP +.B module-store +Specify how the SELinux Management library should interact with the SELinux policy store. When set to "direct", the SELinux +Management library writes to the SELinux policy module store directly (this is the default setting). +Otherwise a socket path or a server name can be used for the argument. +If the argument begins with "/" (as in "/foo/bar"), it represents the path to a named socket that should be used to connect the policy management +server. +If the argument does not begin with a "/" (as in "foo.com:4242"), it should be interpreted as the name of a remote policy management server +to be used through a TCP connection (default port is 4242 unless a different one is specified after the server name using the colon to separate +the two fields). + +.TP +.B policy-version +When generating the policy, by default +.BR semanage +will set the policy version to POLICYDB_VERSION_MAX, as defined in <sepol/policydb/policydb.h>. Change this setting if a different +version needs to be set for the policy. + +.TP +.B expand-check +Whether or not to check "neverallow" rules when executing all +.BR semanage +command. It can be set to either "0" (disabled) or "1" (enabled) and by default it is enabled. There might be a large +penalty in execution time if this option is enabled. + +.TP +.B file-mode +By default the permission mode for the run-time policy files is set to 0644. + +.TP +.B save-previous +It controls whether the previous module directory is saved after a successful commit to the policy store and it can be set to +either "true" or "false". By default it is set to "false" (the previous version is deleted). + +.TP +.B save-linked +It controls whether the previously linked module is saved (with name "base.linked") after a successful commit to the policy store. +It can be set to either "true" or "false" and by default it is set to "false" (the previous module is deleted). + +.TP +.B usepasswd +Whether or not to enable the use getpwent() to obtain a list of home directories to label. It can be set to either "true" or "false". +By default it is set to "true". + +.TP +.B disable-genhomedircon +It controls whether or not the genhomedircon function is executed when using the +.BR semanage +command and it can be set to either "false" or "true". By default the genhomedircon functionality is enabled (equivalent +to this option set to "false"). + +.TP +.B handle-unknown +This option controls the kernel behavior for handling permissions defined in the kernel but missing from the actual policy. +It can be set to "deny", "reject" or "allow". + +.TP +.B bzip-blocksize +It should be in the range 0-9. A value of 0 means no compression. By default the bzip block size is set to 9 (actual block +size value is obtained after multiplication by 100000). + +.TP +.B bzip-small +When set to "true", the bzip algorithm shall try to reduce its system memory usage. It can be set to either "true" or "false" and +by default it is set to "false". + +.SH "SEE ALSO" +.TP +semanage(8) +.PP + +.SH AUTHOR +This manual page was written by Guido Trentalancia <guido@trentalancia.com>. + +The SELinux management library was written by Tresys Technology LLC and Red Hat Inc. diff -pruN selinux-14092011-patch-v5-do-not-modify-library-link-creation/libsemanage/tests/test_semanage_store.c selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libsemanage/tests/test_semanage_store.c diff -pruN selinux-14092011-patch-v5-do-not-modify-library-link-creation/libsepol/man/Makefile selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libsepol/man/Makefile --- selinux-14092011-patch-v5-do-not-modify-library-link-creation/libsepol/man/Makefile 2011-09-15 05:21:20.959262094 +0200 +++ selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libsepol/man/Makefile 2011-09-15 06:38:54.892976846 +0200 @@ -1,6 +1,7 @@ # Installation directories. -MAN8DIR ?= $(DESTDIR)/usr/share/man/man8 -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 +PREFIX ?= $(DESTDIR)/usr +MAN3DIR ?= $(PREFIX)/share/man/man3 +MAN8DIR ?= $(PREFIX)/share/man/man8 all: On Tue, 2011-09-13 at 18:03 +0200, Guido Trentalancia wrote: > The new semanage.conf(5) manual page actually goes much better in the > libsemanage directory... > > First introduce the support for the PREFIX variable in the Makefiles for > libraries' manual pages: > > --- selinux/libselinux/man/Makefile 2011-09-09 20:12:55.982662190 +0200 > +++ selinux-13092011-new-manual-pages/libselinux/man/Makefile 2011-09-13 17:48:46.300905476 +0200 > @@ -1,7 +1,8 @@ > # Installation directories. > -MAN8DIR ?= $(DESTDIR)/usr/share/man/man8 > -MAN5DIR ?= $(DESTDIR)/usr/share/man/man5 > -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 > +PREFIX ?= $(DESTDIR)/usr > +MAN3DIR ?= $(PREFIX)/share/man/man3 > +MAN5DIR ?= $(PREFIX)/share/man/man5 > +MAN8DIR ?= $(PREFIX)/share/man/man8 > > install: > mkdir -p $(MAN3DIR) > @@ -10,4 +11,3 @@ install: > install -m 644 man3/*.3 $(MAN3DIR) > install -m 644 man5/*.5 $(MAN5DIR) > install -m 644 man8/*.8 $(MAN8DIR) > - > --- selinux/libsepol/man/Makefile 2011-09-09 20:12:56.021662468 +0200 > +++ selinux-13092011-new-manual-pages/libsepol/man/Makefile 2011-09-13 17:47:39.752630529 +0200 > @@ -1,6 +1,7 @@ > # Installation directories. > -MAN8DIR ?= $(DESTDIR)/usr/share/man/man8 > -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 > +PREFIX ?= $(DESTDIR)/usr > +MAN3DIR ?= $(PREFIX)/share/man/man3 > +MAN8DIR ?= $(PREFIX)/share/man/man8 > > install: > mkdir -p $(MAN3DIR) > --- selinux/libsemanage/man/Makefile 2011-09-09 20:12:56.003662337 +0200 > +++ selinux-13092011-new-manual-pages/libsemanage/man/Makefile 2011-09-13 17:46:49.324420640 +0200 > @@ -1,7 +1,7 @@ > # Installation directories. > -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 > +PREFIX ?= $(DESTDIR)/usr > +MAN3DIR ?= $(PREFIX)/share/man/man3 > > install: > mkdir -p $(MAN3DIR) > install -m 644 man3/*.3 $(MAN3DIR) > - > > Then introduce the new semanage.conf(5) manual page as appropriate: > > diff -pruN selinux-13092011-new-manual-pages/libsemanage/man/Makefile selinux-13092011-new-manual-pages-semanage.conf/libsemanage/man/Makefile > --- selinux-13092011-new-manual-pages/libsemanage/man/Makefile 2011-09-13 17:46:49.324420640 +0200 > +++ selinux-13092011-new-manual-pages-semanage.conf/libsemanage/man/Makefile 2011-09-13 17:52:46.605950570 +0200 > @@ -1,7 +1,10 @@ > # Installation directories. > PREFIX ?= $(DESTDIR)/usr > MAN3DIR ?= $(PREFIX)/share/man/man3 > +MAN5DIR ?= $(PREFIX)/share/man/man5 > > install: > mkdir -p $(MAN3DIR) > + mkdir -p $(MAN5DIR) > install -m 644 man3/*.3 $(MAN3DIR) > + install -m 644 man5/*.5 $(MAN5DIR) > diff -pruN selinux-13092011-new-manual-pages/libsemanage/man/man5/semanage.conf.5 selinux-13092011-new-manual-pages-semanage.conf/libsemanage/man/man5/semanage.conf.5 > --- selinux-13092011-new-manual-pages/libsemanage/man/man5/semanage.conf.5 1970-01-01 01:00:00.000000000 +0100 > +++ selinux-13092011-new-manual-pages-semanage.conf/libsemanage/man/man5/semanage.conf.5 2011-09-13 06:54:47.309754193 +0200 > @@ -0,0 +1,93 @@ > +.TH semanage.conf "5" "September 2011" "semanage.conf" "Linux System Administration" > +.SH NAME > +semanage.conf \- global configuration file for the SELinux Management library > +.SH DESCRIPTION > +.PP > +The > +.BR semanage.conf > +file is usually located under the directory /etc/selinux and it is used for run-time configuration of the > +behavior of the SELinux Management library. > + > +.PP > +Each line should contain a configuration parameter followed by the equal sign ("=") and then followed by the configuration value for that > +parameter. Anything after the "#" symbol is ignored similarly to empty lines. > + > +.PP > +The following parameters are allowed: > + > +.RS > +.TP > +.B module-store > +Specify how the SELinux Management library should interact with the SELinux policy store. When set to "direct", the SELinux > +Management library writes to the SELinux policy module store directly (this is the default setting). > +Otherwise a socket path or a server name can be used for the argument. > +If the argument begins with "/" (as in "/foo/bar"), it represents the path to a named socket that should be used to connect the policy management > +server. > +If the argument does not begin with a "/" (as in "foo.com:4242"), it should be interpreted as the name of a remote policy management server > +to be used through a TCP connection (default port is 4242 unless a different one is specified after the server name using the colon to separate > +the two fields). > + > +.TP > +.B policy-version > +When generating the policy, by default > +.BR semanage > +will set the policy version to POLICYDB_VERSION_MAX, as defined in <sepol/policydb/policydb.h>. Change this setting if a different > +version needs to be set for the policy. > + > +.TP > +.B expand-check > +Whether or not to check "neverallow" rules when executing all > +.BR semanage > +command. It can be set to either "0" (disabled) or "1" (enabled) and by default it is enabled. There might be a large > +penalty in execution time if this option is enabled. > + > +.TP > +.B file-mode > +By default the permission mode for the run-time policy files is set to 0644. > + > +.TP > +.B save-previous > +It controls whether the previous module directory is saved after a successful commit to the policy store and it can be set to > +either "true" or "false". By default it is set to "false" (the previous version is deleted). > + > +.TP > +.B save-linked > +It controls whether the previously linked module is saved (with name "base.linked") after a successful commit to the policy store. > +It can be set to either "true" or "false" and by default it is set to "false" (the previous module is deleted). > + > +.TP > +.B usepasswd > +Whether or not to enable the use getpwent() to obtain a list of home directories to label. It can be set to either "true" or "false". > +By default it is set to "true". > + > +.TP > +.B disable-genhomedircon > +It controls whether or not the genhomedircon function is executed when using the > +.BR semanage > +command and it can be set to either "false" or "true". By default the genhomedircon functionality is enabled (equivalent > +to this option set to "false"). > + > +.TP > +.B handle-unknown > +This option controls the kernel behavior for handling permissions defined in the kernel but missing from the actual policy. > +It can be set to "deny", "reject" or "allow". > + > +.TP > +.B bzip-blocksize > +It should be in the range 0-9. A value of 0 means no compression. By default the bzip block size is set to 9 (actual block > +size value is obtained after multiplication by 100000). > + > +.TP > +.B bzip-small > +When set to "true", the bzip algorithm shall try to reduce its system memory usage. It can be set to either "true" or "false" and > +by default it is set to "false". > + > +.SH "SEE ALSO" > +.TP > +semanage(8) > +.PP > + > +.SH AUTHOR > +This manual page was written by Guido Trentalancia <guido@trentalancia.com>. > + > +The SELinux management library was written by Tresys Technology LLC and Red Hat Inc. > > Regards, > > Guido > > On Tue, 2011-09-13 at 07:27 +0200, Guido Trentalancia wrote: > > With the bits to install it: > > > > diff -pruN selinux-13092011-new/policycoreutils/semanage/Makefile selinux-13092011-new-manual-pages/policycoreutils/semanage/Makefile > > --- selinux-13092011-new/policycoreutils/semanage/Makefile 2011-09-13 03:10:39.427692261 +0200 > > +++ selinux-13092011-new-manual-pages/policycoreutils/semanage/Makefile 2011-09-13 07:22:46.159015090 +0200 > > @@ -11,9 +11,11 @@ TARGETS=semanage > > all: $(TARGETS) > > > > install: all > > + [ -d $(MANDIR)/man5 ] || mkdir -p $(MANDIR)/man5 > > [ -d $(MANDIR)/man8 ] || mkdir -p $(MANDIR)/man8 > > -mkdir -p $(SBINDIR) > > install -m 755 semanage $(SBINDIR) > > + install -m 644 semanage.conf.5 $(MANDIR)/man5 > > install -m 644 semanage.8 $(MANDIR)/man8 > > test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages > > install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages > > > > On Tue, 2011-09-13 at 07:00 +0200, Guido Trentalancia wrote: > > > So, here is a first new manual page that I propose to introduce: > > > semanage.conf(5). > > > > > > On Mon, 2011-09-12 at 23:28 +0200, Guido Trentalancia wrote: > > > > On Thu, 2011-09-01 at 21:52 -0400, Eric Paris wrote: > > > > > On Thu, Sep 1, 2011 at 5:21 PM, Guido Trentalancia > > > > > <guido@trentalancia.com> wrote: > > > > > > On Thu, 2011-09-01 at 09:42 -0400, Daniel J Walsh wrote: > > > > > >> On 09/01/2011 01:09 AM, Russell Coker wrote: > > > > > >> > Has anyone written manpages for genhomedircon, sepolgen-ifgen, and > > > > > >> > seunshare? If not is there someone with some spare time and man > > > > > >> > page writing skill? > > > > > > [cut] > > > > > > > I would like to take this opportunity to suggest that we create manual > > > > pages for configuration files where possible (none available at the > > > > moment ?!?). > > > > > > > > For example, the very first one I would like to have is > > > > semanage.conf.5. > > > > > > diff -pruN selinux/policycoreutils/semanage/semanage.conf.5 selinux-13092011-new-manual-pages/policycoreutils/semanage/semanage.conf.5 > > > --- selinux/policycoreutils/semanage/semanage.conf.5 1970-01-01 01:00:00.000000000 +0100 > > > +++ selinux-13092011-new-manual-pages/policycoreutils/semanage/semanage.conf.5 2011-09-13 06:54:47.309754193 +0200 > > > @@ -0,0 +1,93 @@ > > > +.TH semanage.conf "5" "September 2011" "semanage.conf" "Linux System Administration" > > > +.SH NAME > > > +semanage.conf \- global configuration file for the SELinux Management library > > > +.SH DESCRIPTION > > > +.PP > > > +The > > > +.BR semanage.conf > > > +file is usually located under the directory /etc/selinux and it is used for run-time configuration of the > > > +behavior of the SELinux Management library. > > > + > > > +.PP > > > +Each line should contain a configuration parameter followed by the equal sign ("=") and then followed by the configuration value for that > > > +parameter. Anything after the "#" symbol is ignored similarly to empty lines. > > > + > > > +.PP > > > +The following parameters are allowed: > > > + > > > +.RS > > > +.TP > > > +.B module-store > > > +Specify how the SELinux Management library should interact with the SELinux policy store. When set to "direct", the SELinux > > > +Management library writes to the SELinux policy module store directly (this is the default setting). > > > +Otherwise a socket path or a server name can be used for the argument. > > > +If the argument begins with "/" (as in "/foo/bar"), it represents the path to a named socket that should be used to connect the policy management > > > +server. > > > +If the argument does not begin with a "/" (as in "foo.com:4242"), it should be interpreted as the name of a remote policy management server > > > +to be used through a TCP connection (default port is 4242 unless a different one is specified after the server name using the colon to separate > > > +the two fields). > > > + > > > +.TP > > > +.B policy-version > > > +When generating the policy, by default > > > +.BR semanage > > > +will set the policy version to POLICYDB_VERSION_MAX, as defined in <sepol/policydb/policydb.h>. Change this setting if a different > > > +version needs to be set for the policy. > > > + > > > +.TP > > > +.B expand-check > > > +Whether or not to check "neverallow" rules when executing all > > > +.BR semanage > > > +command. It can be set to either "0" (disabled) or "1" (enabled) and by default it is enabled. There might be a large > > > +penalty in execution time if this option is enabled. > > > + > > > +.TP > > > +.B file-mode > > > +By default the permission mode for the run-time policy files is set to 0644. > > > + > > > +.TP > > > +.B save-previous > > > +It controls whether the previous module directory is saved after a successful commit to the policy store and it can be set to > > > +either "true" or "false". By default it is set to "false" (the previous version is deleted). > > > + > > > +.TP > > > +.B save-linked > > > +It controls whether the previously linked module is saved (with name "base.linked") after a successful commit to the policy store. > > > +It can be set to either "true" or "false" and by default it is set to "false" (the previous module is deleted). > > > + > > > +.TP > > > +.B usepasswd > > > +Whether or not to enable the use getpwent() to obtain a list of home directories to label. It can be set to either "true" or "false". > > > +By default it is set to "true". > > > + > > > +.TP > > > +.B disable-genhomedircon > > > +It controls whether or not the genhomedircon function is executed when using the > > > +.BR semanage > > > +command and it can be set to either "false" or "true". By default the genhomedircon functionality is enabled (equivalent > > > +to this option set to "false"). > > > + > > > +.TP > > > +.B handle-unknown > > > +This option controls the kernel behavior for handling permissions defined in the kernel but missing from the actual policy. > > > +It can be set to "deny", "reject" or "allow". > > > + > > > +.TP > > > +.B bzip-blocksize > > > +It should be in the range 0-9. A value of 0 means no compression. By default the bzip block size is set to 9 (actual block > > > +size value is obtained after multiplication by 100000). > > > + > > > +.TP > > > +.B bzip-small > > > +When set to "true", the bzip algorithm shall try to reduce its system memory usage. It can be set to either "true" or "false" and > > > +by default it is set to "false". > > > + > > > +.SH "SEE ALSO" > > > +.TP > > > +semanage(8) > > > +.PP > > > + > > > +.SH AUTHOR > > > +This manual page was written by Guido Trentalancia <guido@trentalancia.com>. > > > + > > > +The SELinux management library was written by Tresys Technology LLC and Red Hat Inc. > > > > > > Very simple, but possibly useful... > > > > > > Regards, > > > > > > Guido -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v3] semanage.conf manual page 2011-09-15 4:51 ` [PATCH v3] semanage.conf manual page Guido Trentalancia @ 2011-09-19 11:30 ` Daniel J Walsh 0 siblings, 0 replies; 14+ messages in thread From: Daniel J Walsh @ 2011-09-19 11:30 UTC (permalink / raw) To: Guido Trentalancia; +Cc: Eric Paris, russell, SELinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/15/2011 12:51 AM, Guido Trentalancia wrote: > An updated version of this patch is now available because the > previous patch was no longer applying cleanly after a few Makefiles > had been changed: > > Create a manual page for semanage.conf (section 5). > > Signed-off-by: Guido Trentalancia <guido@trentalancia.com> > > --- diff -pruN > selinux-14092011-patch-v5-do-not-modify-library-link-creation/libselinux/man/Makefile > selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libselinux/man/Makefile > > - --- selinux-14092011-patch-v5-do-not-modify-library-link-creation/libselinux/man/Makefile 2011-09-15 05:21:20.959262094 +0200 > +++ > selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libselinux/man/Makefile > 2011-09-15 06:38:01.739574479 +0200 @@ -1,7 +1,8 @@ # Installation > directories. -MAN8DIR ?= $(DESTDIR)/usr/share/man/man8 -MAN5DIR ?= > $(DESTDIR)/usr/share/man/man5 -MAN3DIR ?= > $(DESTDIR)/usr/share/man/man3 +PREFIX ?= $(DESTDIR)/usr +MAN3DIR ?= > $(PREFIX)/share/man/man3 +MAN5DIR ?= $(PREFIX)/share/man/man5 > +MAN8DIR ?= $(PREFIX)/share/man/man8 > > all: > > @@ -12,4 +13,3 @@ install: install -m 644 man3/*.3 $(MAN3DIR) > install -m 644 man5/*.5 $(MAN5DIR) install -m 644 man8/*.8 > $(MAN8DIR) - diff -pruN > selinux-14092011-patch-v5-do-not-modify-library-link-creation/libselinux/man/Makefile.orig > selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libselinux/man/Makefile.orig > > - --- selinux-14092011-patch-v5-do-not-modify-library-link-creation/libselinux/man/Makefile.orig 1970-01-01 01:00:00.000000000 +0100 > +++ > selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libselinux/man/Makefile.orig > 2011-09-15 06:28:17.238120345 +0200 @@ -0,0 +1,15 @@ +# > Installation directories. +MAN8DIR ?= > $(DESTDIR)/usr/share/man/man8 +MAN5DIR ?= > $(DESTDIR)/usr/share/man/man5 +MAN3DIR ?= > $(DESTDIR)/usr/share/man/man3 + +all: + +install: + mkdir -p > $(MAN3DIR) + mkdir -p $(MAN5DIR) + mkdir -p $(MAN8DIR) + install -m > 644 man3/*.3 $(MAN3DIR) + install -m 644 man5/*.5 $(MAN5DIR) + > install -m 644 man8/*.8 $(MAN8DIR) + diff -pruN > selinux-14092011-patch-v5-do-not-modify-library-link-creation/libsemanage/man/Makefile > selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libsemanage/man/Makefile > > - --- selinux-14092011-patch-v5-do-not-modify-library-link-creation/libsemanage/man/Makefile 2011-09-15 05:21:20.959262094 +0200 > +++ > selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libsemanage/man/Makefile > 2011-09-15 06:42:00.734396974 +0200 @@ -1,9 +1,12 @@ # Installation > directories. -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 +PREFIX ?= > $(DESTDIR)/usr +MAN3DIR ?= $(PREFIX)/share/man/man3 +MAN5DIR ?= > $(PREFIX)/share/man/man5 > > all: > > install: mkdir -p $(MAN3DIR) + mkdir -p $(MAN5DIR) install -m 644 > man3/*.3 $(MAN3DIR) - + install -m 644 man5/*.5 $(MAN5DIR) diff > -pruN > selinux-14092011-patch-v5-do-not-modify-library-link-creation/libsemanage/man/man5/semanage.conf.5 > selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libsemanage/man/man5/semanage.conf.5 > > - --- selinux-14092011-patch-v5-do-not-modify-library-link-creation/libsemanage/man/man5/semanage.conf.5 1970-01-01 01:00:00.000000000 +0100 > +++ > selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libsemanage/man/man5/semanage.conf.5 > 2011-09-15 06:42:41.066704601 +0200 @@ -0,0 +1,93 @@ +.TH > semanage.conf "5" "September 2011" "semanage.conf" "Linux System > Administration" +.SH NAME +semanage.conf \- global configuration > file for the SELinux Management library +.SH DESCRIPTION +.PP +The > +.BR semanage.conf +file is usually located under the directory > /etc/selinux and it is used for run-time configuration of the > +behavior of the SELinux Management library. + +.PP +Each line > should contain a configuration parameter followed by the equal sign > ("=") and then followed by the configuration value for that > +parameter. Anything after the "#" symbol is ignored similarly to > empty lines. + +.PP +The following parameters are allowed: + +.RS > +.TP +.B module-store +Specify how the SELinux Management library > should interact with the SELinux policy store. When set to > "direct", the SELinux +Management library writes to the SELinux > policy module store directly (this is the default setting). > +Otherwise a socket path or a server name can be used for the > argument. +If the argument begins with "/" (as in "/foo/bar"), it > represents the path to a named socket that should be used to > connect the policy management +server. +If the argument does not > begin with a "/" (as in "foo.com:4242"), it should be interpreted > as the name of a remote policy management server +to be used > through a TCP connection (default port is 4242 unless a different > one is specified after the server name using the colon to separate > +the two fields). + +.TP +.B policy-version +When generating the > policy, by default +.BR semanage +will set the policy version to > POLICYDB_VERSION_MAX, as defined in <sepol/policydb/policydb.h>. > Change this setting if a different +version needs to be set for the > policy. + +.TP +.B expand-check +Whether or not to check > "neverallow" rules when executing all +.BR semanage +command. It > can be set to either "0" (disabled) or "1" (enabled) and by default > it is enabled. There might be a large +penalty in execution time if > this option is enabled. + +.TP +.B file-mode +By default the > permission mode for the run-time policy files is set to 0644. + > +.TP +.B save-previous +It controls whether the previous module > directory is saved after a successful commit to the policy store > and it can be set to +either "true" or "false". By default it is > set to "false" (the previous version is deleted). + +.TP +.B > save-linked +It controls whether the previously linked module is > saved (with name "base.linked") after a successful commit to the > policy store. +It can be set to either "true" or "false" and by > default it is set to "false" (the previous module is deleted). + > +.TP +.B usepasswd +Whether or not to enable the use getpwent() to > obtain a list of home directories to label. It can be set to either > "true" or "false". +By default it is set to "true". + +.TP +.B > disable-genhomedircon +It controls whether or not the genhomedircon > function is executed when using the +.BR semanage +command and it > can be set to either "false" or "true". By default the > genhomedircon functionality is enabled (equivalent +to this option > set to "false"). + +.TP +.B handle-unknown +This option controls > the kernel behavior for handling permissions defined in the kernel > but missing from the actual policy. +It can be set to "deny", > "reject" or "allow". + +.TP +.B bzip-blocksize +It should be in the > range 0-9. A value of 0 means no compression. By default the bzip > block size is set to 9 (actual block +size value is obtained after > multiplication by 100000). + +.TP +.B bzip-small +When set to > "true", the bzip algorithm shall try to reduce its system memory > usage. It can be set to either "true" or "false" and +by default it > is set to "false". + +.SH "SEE ALSO" +.TP +semanage(8) +.PP + +.SH > AUTHOR +This manual page was written by Guido Trentalancia > <guido@trentalancia.com>. + +The SELinux management library was > written by Tresys Technology LLC and Red Hat Inc. diff -pruN > selinux-14092011-patch-v5-do-not-modify-library-link-creation/libsemanage/tests/test_semanage_store.c > selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libsemanage/tests/test_semanage_store.c > > diff -pruN selinux-14092011-patch-v5-do-not-modify-library-link-creation/libsepol/man/Makefile selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libsepol/man/Makefile > --- > selinux-14092011-patch-v5-do-not-modify-library-link-creation/libsepol/man/Makefile > 2011-09-15 05:21:20.959262094 +0200 +++ > selinux-14092011-patch-v5-do-not-modify-library-link-creation-new-semanage.conf-manual-page/libsepol/man/Makefile > 2011-09-15 06:38:54.892976846 +0200 @@ -1,6 +1,7 @@ # Installation > directories. -MAN8DIR ?= $(DESTDIR)/usr/share/man/man8 -MAN3DIR ?= > $(DESTDIR)/usr/share/man/man3 +PREFIX ?= $(DESTDIR)/usr +MAN3DIR ?= > $(PREFIX)/share/man/man3 +MAN8DIR ?= $(PREFIX)/share/man/man8 > > all: > > > On Tue, 2011-09-13 at 18:03 +0200, Guido Trentalancia wrote: >> The new semanage.conf(5) manual page actually goes much better in >> the libsemanage directory... >> >> First introduce the support for the PREFIX variable in the >> Makefiles for libraries' manual pages: >> >> --- selinux/libselinux/man/Makefile 2011-09-09 20:12:55.982662190 >> +0200 +++ >> selinux-13092011-new-manual-pages/libselinux/man/Makefile >> 2011-09-13 17:48:46.300905476 +0200 @@ -1,7 +1,8 @@ # >> Installation directories. -MAN8DIR ?= >> $(DESTDIR)/usr/share/man/man8 -MAN5DIR ?= >> $(DESTDIR)/usr/share/man/man5 -MAN3DIR ?= >> $(DESTDIR)/usr/share/man/man3 +PREFIX ?= $(DESTDIR)/usr +MAN3DIR >> ?= $(PREFIX)/share/man/man3 +MAN5DIR ?= $(PREFIX)/share/man/man5 >> +MAN8DIR ?= $(PREFIX)/share/man/man8 >> >> install: mkdir -p $(MAN3DIR) @@ -10,4 +11,3 @@ install: install >> -m 644 man3/*.3 $(MAN3DIR) install -m 644 man5/*.5 $(MAN5DIR) >> install -m 644 man8/*.8 $(MAN8DIR) - --- >> selinux/libsepol/man/Makefile 2011-09-09 20:12:56.021662468 >> +0200 +++ selinux-13092011-new-manual-pages/libsepol/man/Makefile >> 2011-09-13 17:47:39.752630529 +0200 @@ -1,6 +1,7 @@ # >> Installation directories. -MAN8DIR ?= >> $(DESTDIR)/usr/share/man/man8 -MAN3DIR ?= >> $(DESTDIR)/usr/share/man/man3 +PREFIX ?= $(DESTDIR)/usr +MAN3DIR >> ?= $(PREFIX)/share/man/man3 +MAN8DIR ?= $(PREFIX)/share/man/man8 >> >> install: mkdir -p $(MAN3DIR) --- selinux/libsemanage/man/Makefile >> 2011-09-09 20:12:56.003662337 +0200 +++ >> selinux-13092011-new-manual-pages/libsemanage/man/Makefile >> 2011-09-13 17:46:49.324420640 +0200 @@ -1,7 +1,7 @@ # >> Installation directories. -MAN3DIR ?= >> $(DESTDIR)/usr/share/man/man3 +PREFIX ?= $(DESTDIR)/usr +MAN3DIR >> ?= $(PREFIX)/share/man/man3 >> >> install: mkdir -p $(MAN3DIR) install -m 644 man3/*.3 $(MAN3DIR) >> - >> >> Then introduce the new semanage.conf(5) manual page as >> appropriate: >> >> diff -pruN >> selinux-13092011-new-manual-pages/libsemanage/man/Makefile >> selinux-13092011-new-manual-pages-semanage.conf/libsemanage/man/Makefile >> >> - --- selinux-13092011-new-manual-pages/libsemanage/man/Makefile 2011-09-13 17:46:49.324420640 +0200 >> +++ >> selinux-13092011-new-manual-pages-semanage.conf/libsemanage/man/Makefile >> 2011-09-13 17:52:46.605950570 +0200 @@ -1,7 +1,10 @@ # >> Installation directories. PREFIX ?= $(DESTDIR)/usr MAN3DIR ?= >> $(PREFIX)/share/man/man3 +MAN5DIR ?= $(PREFIX)/share/man/man5 >> >> install: mkdir -p $(MAN3DIR) + mkdir -p $(MAN5DIR) install -m 644 >> man3/*.3 $(MAN3DIR) + install -m 644 man5/*.5 $(MAN5DIR) diff >> -pruN >> selinux-13092011-new-manual-pages/libsemanage/man/man5/semanage.conf.5 >> selinux-13092011-new-manual-pages-semanage.conf/libsemanage/man/man5/semanage.conf.5 >> >> - --- selinux-13092011-new-manual-pages/libsemanage/man/man5/semanage.conf.5 1970-01-01 01:00:00.000000000 +0100 >> +++ >> selinux-13092011-new-manual-pages-semanage.conf/libsemanage/man/man5/semanage.conf.5 >> 2011-09-13 06:54:47.309754193 +0200 @@ -0,0 +1,93 @@ +.TH >> semanage.conf "5" "September 2011" "semanage.conf" "Linux System >> Administration" +.SH NAME +semanage.conf \- global configuration >> file for the SELinux Management library +.SH DESCRIPTION +.PP >> +The +.BR semanage.conf +file is usually located under the >> directory /etc/selinux and it is used for run-time configuration >> of the +behavior of the SELinux Management library. + +.PP +Each >> line should contain a configuration parameter followed by the >> equal sign ("=") and then followed by the configuration value for >> that +parameter. Anything after the "#" symbol is ignored >> similarly to empty lines. + +.PP +The following parameters are >> allowed: + +.RS +.TP +.B module-store +Specify how the SELinux >> Management library should interact with the SELinux policy store. >> When set to "direct", the SELinux +Management library writes to >> the SELinux policy module store directly (this is the default >> setting). +Otherwise a socket path or a server name can be used >> for the argument. +If the argument begins with "/" (as in >> "/foo/bar"), it represents the path to a named socket that should >> be used to connect the policy management +server. +If the >> argument does not begin with a "/" (as in "foo.com:4242"), it >> should be interpreted as the name of a remote policy management >> server +to be used through a TCP connection (default port is 4242 >> unless a different one is specified after the server name using >> the colon to separate +the two fields). + +.TP +.B policy-version >> +When generating the policy, by default +.BR semanage +will set >> the policy version to POLICYDB_VERSION_MAX, as defined in >> <sepol/policydb/policydb.h>. Change this setting if a different >> +version needs to be set for the policy. + +.TP +.B expand-check >> +Whether or not to check "neverallow" rules when executing all >> +.BR semanage +command. It can be set to either "0" (disabled) or >> "1" (enabled) and by default it is enabled. There might be a >> large +penalty in execution time if this option is enabled. + >> +.TP +.B file-mode +By default the permission mode for the >> run-time policy files is set to 0644. + +.TP +.B save-previous >> +It controls whether the previous module directory is saved after >> a successful commit to the policy store and it can be set to >> +either "true" or "false". By default it is set to "false" (the >> previous version is deleted). + +.TP +.B save-linked +It controls >> whether the previously linked module is saved (with name >> "base.linked") after a successful commit to the policy store. +It >> can be set to either "true" or "false" and by default it is set >> to "false" (the previous module is deleted). + +.TP +.B usepasswd >> +Whether or not to enable the use getpwent() to obtain a list of >> home directories to label. It can be set to either "true" or >> "false". +By default it is set to "true". + +.TP +.B >> disable-genhomedircon +It controls whether or not the >> genhomedircon function is executed when using the +.BR semanage >> +command and it can be set to either "false" or "true". By >> default the genhomedircon functionality is enabled (equivalent >> +to this option set to "false"). + +.TP +.B handle-unknown +This >> option controls the kernel behavior for handling permissions >> defined in the kernel but missing from the actual policy. +It can >> be set to "deny", "reject" or "allow". + +.TP +.B bzip-blocksize >> +It should be in the range 0-9. A value of 0 means no >> compression. By default the bzip block size is set to 9 (actual >> block +size value is obtained after multiplication by 100000). + >> +.TP +.B bzip-small +When set to "true", the bzip algorithm shall >> try to reduce its system memory usage. It can be set to either >> "true" or "false" and +by default it is set to "false". + +.SH >> "SEE ALSO" +.TP +semanage(8) +.PP + +.SH AUTHOR +This manual page >> was written by Guido Trentalancia <guido@trentalancia.com>. + >> +The SELinux management library was written by Tresys Technology >> LLC and Red Hat Inc. >> >> Regards, >> >> Guido >> >> On Tue, 2011-09-13 at 07:27 +0200, Guido Trentalancia wrote: >>> With the bits to install it: >>> >>> diff -pruN >>> selinux-13092011-new/policycoreutils/semanage/Makefile >>> selinux-13092011-new-manual-pages/policycoreutils/semanage/Makefile >>> >>> - --- selinux-13092011-new/policycoreutils/semanage/Makefile 2011-09-13 03:10:39.427692261 +0200 >>> +++ >>> selinux-13092011-new-manual-pages/policycoreutils/semanage/Makefile >>> 2011-09-13 07:22:46.159015090 +0200 @@ -11,9 +11,11 @@ >>> TARGETS=semanage all: $(TARGETS) >>> >>> install: all + [ -d $(MANDIR)/man5 ] || mkdir -p >>> $(MANDIR)/man5 [ -d $(MANDIR)/man8 ] || mkdir -p >>> $(MANDIR)/man8 -mkdir -p $(SBINDIR) install -m 755 semanage >>> $(SBINDIR) + install -m 644 semanage.conf.5 $(MANDIR)/man5 >>> install -m 644 semanage.8 $(MANDIR)/man8 test -d >>> $(PYTHONLIBDIR)/site-packages || install -m 755 -d >>> $(PYTHONLIBDIR)/site-packages install -m 755 seobject.py >>> $(PYTHONLIBDIR)/site-packages >>> >>> On Tue, 2011-09-13 at 07:00 +0200, Guido Trentalancia wrote: >>>> So, here is a first new manual page that I propose to >>>> introduce: semanage.conf(5). >>>> >>>> On Mon, 2011-09-12 at 23:28 +0200, Guido Trentalancia wrote: >>>>> On Thu, 2011-09-01 at 21:52 -0400, Eric Paris wrote: >>>>>> On Thu, Sep 1, 2011 at 5:21 PM, Guido Trentalancia >>>>>> <guido@trentalancia.com> wrote: >>>>>>> On Thu, 2011-09-01 at 09:42 -0400, Daniel J Walsh >>>>>>> wrote: >>>>>>>> On 09/01/2011 01:09 AM, Russell Coker wrote: >>>>>>>>> Has anyone written manpages for genhomedircon, >>>>>>>>> sepolgen-ifgen, and seunshare? If not is there >>>>>>>>> someone with some spare time and man page writing >>>>>>>>> skill? >>>> >>>> [cut] >>>> >>>>> I would like to take this opportunity to suggest that we >>>>> create manual pages for configuration files where possible >>>>> (none available at the moment ?!?). >>>>> >>>>> For example, the very first one I would like to have is >>>>> semanage.conf.5. >>>> >>>> diff -pruN selinux/policycoreutils/semanage/semanage.conf.5 >>>> selinux-13092011-new-manual-pages/policycoreutils/semanage/semanage.conf.5 >>>> >>>> - --- selinux/policycoreutils/semanage/semanage.conf.5 1970-01-01 01:00:00.000000000 +0100 >>>> +++ >>>> selinux-13092011-new-manual-pages/policycoreutils/semanage/semanage.conf.5 >>>> 2011-09-13 06:54:47.309754193 +0200 @@ -0,0 +1,93 @@ +.TH >>>> semanage.conf "5" "September 2011" "semanage.conf" "Linux >>>> System Administration" +.SH NAME +semanage.conf \- global >>>> configuration file for the SELinux Management library +.SH >>>> DESCRIPTION +.PP +The +.BR semanage.conf +file is usually >>>> located under the directory /etc/selinux and it is used for >>>> run-time configuration of the +behavior of the SELinux >>>> Management library. + +.PP +Each line should contain a >>>> configuration parameter followed by the equal sign ("=") and >>>> then followed by the configuration value for that +parameter. >>>> Anything after the "#" symbol is ignored similarly to empty >>>> lines. + +.PP +The following parameters are allowed: + +.RS >>>> +.TP +.B module-store +Specify how the SELinux Management >>>> library should interact with the SELinux policy store. When >>>> set to "direct", the SELinux +Management library writes to >>>> the SELinux policy module store directly (this is the default >>>> setting). +Otherwise a socket path or a server name can be >>>> used for the argument. +If the argument begins with "/" (as >>>> in "/foo/bar"), it represents the path to a named socket that >>>> should be used to connect the policy management +server. +If >>>> the argument does not begin with a "/" (as in >>>> "foo.com:4242"), it should be interpreted as the name of a >>>> remote policy management server +to be used through a TCP >>>> connection (default port is 4242 unless a different one is >>>> specified after the server name using the colon to separate >>>> +the two fields). + +.TP +.B policy-version +When generating >>>> the policy, by default +.BR semanage +will set the policy >>>> version to POLICYDB_VERSION_MAX, as defined in >>>> <sepol/policydb/policydb.h>. Change this setting if a >>>> different +version needs to be set for the policy. + +.TP +.B >>>> expand-check +Whether or not to check "neverallow" rules when >>>> executing all +.BR semanage +command. It can be set to either >>>> "0" (disabled) or "1" (enabled) and by default it is enabled. >>>> There might be a large +penalty in execution time if this >>>> option is enabled. + +.TP +.B file-mode +By default the >>>> permission mode for the run-time policy files is set to >>>> 0644. + +.TP +.B save-previous +It controls whether the >>>> previous module directory is saved after a successful commit >>>> to the policy store and it can be set to +either "true" or >>>> "false". By default it is set to "false" (the previous >>>> version is deleted). + +.TP +.B save-linked +It controls >>>> whether the previously linked module is saved (with name >>>> "base.linked") after a successful commit to the policy >>>> store. +It can be set to either "true" or "false" and by >>>> default it is set to "false" (the previous module is >>>> deleted). + +.TP +.B usepasswd +Whether or not to enable the >>>> use getpwent() to obtain a list of home directories to label. >>>> It can be set to either "true" or "false". +By default it is >>>> set to "true". + +.TP +.B disable-genhomedircon +It controls >>>> whether or not the genhomedircon function is executed when >>>> using the +.BR semanage +command and it can be set to either >>>> "false" or "true". By default the genhomedircon functionality >>>> is enabled (equivalent +to this option set to "false"). + >>>> +.TP +.B handle-unknown +This option controls the kernel >>>> behavior for handling permissions defined in the kernel but >>>> missing from the actual policy. +It can be set to "deny", >>>> "reject" or "allow". + +.TP +.B bzip-blocksize +It should be >>>> in the range 0-9. A value of 0 means no compression. By >>>> default the bzip block size is set to 9 (actual block +size >>>> value is obtained after multiplication by 100000). + +.TP +.B >>>> bzip-small +When set to "true", the bzip algorithm shall try >>>> to reduce its system memory usage. It can be set to either >>>> "true" or "false" and +by default it is set to "false". + >>>> +.SH "SEE ALSO" +.TP +semanage(8) +.PP + +.SH AUTHOR +This >>>> manual page was written by Guido Trentalancia >>>> <guido@trentalancia.com>. + +The SELinux management library >>>> was written by Tresys Technology LLC and Red Hat Inc. >>>> >>>> Very simple, but possibly useful... >>>> >>>> Regards, >>>> >>>> Guido > > > > -- This message was distributed to subscribers of the selinux > mailing list. If you no longer wish to subscribe, send mail to > majordomo@tycho.nsa.gov with the words "unsubscribe selinux" > without quotes as the message. > > I added this man page to the Fedora libsemanage package, which is where I believe it belongs. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk53J9kACgkQrlYvE4MpobMTwwCePiS2iHKs5RXaN7Rdnd7CPVyi tAUAoMZm6cyZ5J47AAMLoTl5hduyexlu =OHxB -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: policycoreutils manpages needed 2011-09-12 21:28 ` Guido Trentalancia 2011-09-12 22:03 ` Eric Paris 2011-09-13 5:00 ` [RFC] semanage.conf manual page (was Re: policycoreutils manpages needed) Guido Trentalancia @ 2011-09-16 7:26 ` Guido Trentalancia 2011-09-16 16:15 ` Richard Haines 2 siblings, 1 reply; 14+ messages in thread From: Guido Trentalancia @ 2011-09-16 7:26 UTC (permalink / raw) To: Eric Paris; +Cc: Daniel J Walsh, russell, SE-Linux On Mon, 2011-09-12 at 23:28 +0200, Guido Trentalancia wrote: > I would like to take this opportunity to suggest that we create manual > pages for configuration files where possible (none available at the > moment ?!?). I would like to stress the above once again. Further manual pages that I found missing and that would be nice to have in the future: - global /etc/selinux/config (difficult to name, would that be very generically config.5) ? - /etc/sestatus.conf: why not ? - setrans.conf > For example, the very first one I would like to have is > semanage.conf.5. By the way, an initial version of the above has been prepared. > Then we could also create restorecond.conf.5 and restorecond_user.conf.5 > (both of them should be trivial). I shall perhaps starting doing the above next... Regards, Guido -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: policycoreutils manpages needed 2011-09-16 7:26 ` policycoreutils manpages needed Guido Trentalancia @ 2011-09-16 16:15 ` Richard Haines 0 siblings, 0 replies; 14+ messages in thread From: Richard Haines @ 2011-09-16 16:15 UTC (permalink / raw) To: Guido Trentalancia; +Cc: Daniel J Walsh, russell, SE-Linux, Eric Paris I produced an selinux config file man page + others in the following document: http://taiga.selinuxproject.org/~rhaines/notebooks/Updated_libselinux_Man_Pages.pdf If you think any of them are useful I'm happy to convert them to the man page format (currently in OpenDocument format). Richard PS I've been tracking other config file formats as they change but never get around to publishing them, so if there are specific ones let me know and I'll see what I've got. --- On Fri, 16/9/11, Guido Trentalancia <guido@trentalancia.com> wrote: > From: Guido Trentalancia <guido@trentalancia.com> > Subject: Re: policycoreutils manpages needed > To: "Eric Paris" <eparis@parisplace.org> > Cc: "Daniel J Walsh" <dwalsh@redhat.com>, russell@coker.com.au, "SE-Linux" <selinux@tycho.nsa.gov> > Date: Friday, 16 September, 2011, 8:26 > On Mon, 2011-09-12 at 23:28 +0200, > Guido Trentalancia wrote: > > I would like to take this opportunity to suggest that > we create manual > > pages for configuration files where possible (none > available at the > > moment ?!?). > > I would like to stress the above once again. > > Further manual pages that I found missing and that would be > nice to have > in the future: > > - global /etc/selinux/config (difficult to name, would that > be very > generically config.5) ? > - /etc/sestatus.conf: why not ? > - setrans.conf > > > For example, the very first one I would like to have > is > > semanage.conf.5. > > By the way, an initial version of the above has been > prepared. > > > Then we could also create restorecond.conf.5 and > restorecond_user.conf.5 > > (both of them should be trivial). > > I shall perhaps starting doing the above next... > > Regards, > > Guido > > > -- > This message was distributed to subscribers of the selinux > mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov > with > the words "unsubscribe selinux" without quotes as the > message. > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH] genhomedircon installation and manual page improvements (was Re: policycoreutils manpages needed) 2011-09-01 13:42 ` Daniel J Walsh 2011-09-01 21:21 ` Guido Trentalancia @ 2011-09-12 4:48 ` Guido Trentalancia 1 sibling, 0 replies; 14+ messages in thread From: Guido Trentalancia @ 2011-09-12 4:48 UTC (permalink / raw) To: Daniel J Walsh; +Cc: russell, SE-Linux Hello, the very first thing I would suggest for genhomedircon is to make the installation a bit more robust as follows: Do not hard-code the path to semodule in the genhomedircon script but rather generate it during each installation according to the value of the SBINDIR environment variable. --- selinux/policycoreutils/scripts/Makefile 2011-09-02 04:19:47.355716903 +0200 +++ selinux-12092011-master-new/policycoreutils/scripts/Makefile 2011-09-12 05:52:41.334996312 +0200 @@ -11,7 +11,10 @@ install: all -mkdir -p $(BINDIR) install -m 755 chcat $(BINDIR) install -m 755 fixfiles $(DESTDIR)/sbin - install -m 755 genhomedircon $(SBINDIR) + @echo "#!/bin/sh" > genhomedircon + @echo >> genhomedircon + @echo "$(SBINDIR)/semodule -Bn" >> genhomedircon + install -m 755 genhomedircon $(SBINDIR) -mkdir -p $(MANDIR)/man8 install -m 644 fixfiles.8 $(MANDIR)/man8/ install -m 644 genhomedircon.8 $(MANDIR)/man8/ The manual page does not seem that bad apart from a possibly unwanted dump from emacs. However, here is a possible improvement: --- selinux/policycoreutils/scripts/genhomedircon.8 2011-09-02 04:19:47.356716910 +0200 +++ selinux-12092011-master-new/policycoreutils/scripts/genhomedircon.8 2011-09-12 06:45:01.206251165 +0200 @@ -1,37 +1,21 @@ -.\" Hey, Emacs! This is an -*- nroff -*- source file. -.\" Copyright (c) 2010 Dan Walsh <dwalsh@redhat.com> -.\" -.\" This is free documentation; you can redistribute it and/or -.\" modify it under the terms of the GNU General Public License as -.\" published by the Free Software Foundation; either version 2 of -.\" the License, or (at your option) any later version. -.\" -.\" The GNU General Public License's references to "object code" -.\" and "executables" are to be interpreted as the output of any -.\" document formatting or typesetting system, including -.\" intermediate and printed output. -.\" -.\" This manual is distributed in the hope that it will be useful, -.\" but WITHOUT ANY WARRANTY; without even the implied warranty of -.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -.\" GNU General Public License for more details. -.\" -.\" You should have received a copy of the GNU General Public -.\" License along with this manual; if not, write to the Free -.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, -.\" USA. -.\" -.\" -.TH GENHOMEDIRCON "8" "May 2010" "Security Enhanced Linux" "SELinux" +.TH GENHOMEDIRCON "12" "Sep 2011" "Security Enhanced Linux" "SELinux" .SH NAME genhomedircon \- generate SELinux file context configuration entries for user home directories .SH SYNOPSIS .B genhomedircon -is a script that executes semodule to rebuild policy and create the -labels for HOMEDIRS based on home directories returned by the getpw calls. +is a script that executes +.B semodule +to rebuild the SELinux policy and to create the +labels for each user home directory based on directory paths returned by calls to getpwent(). -This functionality is enabled via the usepasswd flag in /etc/selinux/semanage.conf. +This functionality can be disabled by using the "usepasswd" flag in /etc/selinux/semanage.conf +(such flag can either take the value "true" or "false" and by default it is set to "true"). .SH AUTHOR This manual page was written by .I Dan Walsh <dwalsh@redhat.com> + +The supporting functionality in the semanage library was written by Tresys Technology. + +.SH "SEE ALSO" +semodule(8), getpwent(3), getpwent_r(3) Regards, Guido On Thu, 2011-09-01 at 09:42 -0400, Daniel J Walsh wrote: > On 09/01/2011 01:09 AM, Russell Coker wrote: > > Has anyone written manpages for genhomedircon, sepolgen-ifgen, and > > seunshare? If not is there someone with some spare time and man > > page writing skill? > > > We have man pages for genhomedircon and seunshare. Although the > genhomedircon man page is rather sparse. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2011-09-19 11:31 UTC | newest] Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2011-09-01 5:09 policycoreutils manpages needed Russell Coker 2011-09-01 13:42 ` Daniel J Walsh 2011-09-01 21:21 ` Guido Trentalancia 2011-09-02 1:52 ` Eric Paris 2011-09-12 21:28 ` Guido Trentalancia 2011-09-12 22:03 ` Eric Paris 2011-09-13 5:00 ` [RFC] semanage.conf manual page (was Re: policycoreutils manpages needed) Guido Trentalancia 2011-09-13 5:27 ` Guido Trentalancia 2011-09-13 16:03 ` [RFC v2] semanage.conf manual page (was Re: [RFC] semanage.conf manual page) Guido Trentalancia 2011-09-15 4:51 ` [PATCH v3] semanage.conf manual page Guido Trentalancia 2011-09-19 11:30 ` Daniel J Walsh 2011-09-16 7:26 ` policycoreutils manpages needed Guido Trentalancia 2011-09-16 16:15 ` Richard Haines 2011-09-12 4:48 ` [PATCH] genhomedircon installation and manual page improvements (was Re: policycoreutils manpages needed) Guido Trentalancia
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.