[PATCH 00/15] Patches from the Debian packages

[PATCH 00/15] Patches from the Debian packages

[Laurent Bigonville]

Hi,

Please find in the following mails patches that are coming from the debian
packages or that fix issues that were detected using some debian tools.

Most of the patches are fixing build system or manpage formating issues.

An other one is adding handeling of UID_MAX (similar to UID_MIN) in
genhomedircon.

Most of these patches have already been proposed in the past, but have been
lost for some reasons.

Cheers

Laurent Bigonville


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 01/16] Policycoreutils: Allow overriding INITDIR in restorecond Makefile

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

---
 policycoreutils/restorecond/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policycoreutils/restorecond/Makefile b/policycoreutils/restorecond/Makefile
index 3074542..23f458d 100644
--- a/policycoreutils/restorecond/Makefile
+++ b/policycoreutils/restorecond/Makefile
@@ -7,7 +7,7 @@ AUTOSTARTDIR = $(DESTDIR)/etc/xdg/autostart
 DBUSSERVICEDIR = $(DESTDIR)/usr/share/dbus-1/services
 
 autostart_DATA = sealertauto.desktop
-INITDIR = $(DESTDIR)/etc/rc.d/init.d
+INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
 SELINUXDIR = $(DESTDIR)/etc/selinux
 
 DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
-- 
1.8.2.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 02/16] policycoreutils: Create correct man directory for run_init manpages

[Laurent Bigonville]

From: Russell Coker <russell@coker.com.au>

---
 policycoreutils/run_init/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policycoreutils/run_init/Makefile b/policycoreutils/run_init/Makefile
index 12b39b4..5815a08 100644
--- a/policycoreutils/run_init/Makefile
+++ b/policycoreutils/run_init/Makefile
@@ -33,7 +33,7 @@ open_init_pty: open_init_pty.c
 
 install: all
 	test -d $(SBINDIR)      || install -m 755 -d $(SBINDIR)
-	test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
+	test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8
 	install -m 755 run_init $(SBINDIR)
 	install -m 755 open_init_pty $(SBINDIR)
 	install -m 644 run_init.8 $(MANDIR)/man8/
-- 
1.8.2.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 03/16] policycoreutils: Allow overriding CFLAGS in setfiles and sestatus Makefiles

[Laurent Bigonville]

From: Simon Ruderich <simon@ruderich.org>

This is required to be able to pass hardening flags in Debian.
---
 policycoreutils/sestatus/Makefile | 2 +-
 policycoreutils/setfiles/Makefile | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policycoreutils/sestatus/Makefile b/policycoreutils/sestatus/Makefile
index c5db7a3..c04ff00 100644
--- a/policycoreutils/sestatus/Makefile
+++ b/policycoreutils/sestatus/Makefile
@@ -5,7 +5,7 @@ MANDIR = $(PREFIX)/share/man
 ETCDIR ?= $(DESTDIR)/etc
 LIBDIR ?= $(PREFIX)/lib
 
-CFLAGS = -Werror -Wall -W
+CFLAGS ?= -Werror -Wall -W
 override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
 LDLIBS = -lselinux -L$(LIBDIR)
 
diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
index 4b44b3c..98f4f7d 100644
--- a/policycoreutils/setfiles/Makefile
+++ b/policycoreutils/setfiles/Makefile
@@ -8,7 +8,7 @@ AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
 PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
 ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
 
-CFLAGS = -g -Werror -Wall -W
+CFLAGS ?= -g -Werror -Wall -W
 override CFLAGS += -I$(PREFIX)/include
 LDLIBS = -lselinux -lsepol -L$(LIBDIR)
 
-- 
1.8.2.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 04/16] checkpolicy: Allow overriding LIBDIR in test/Makefile

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

---
 checkpolicy/test/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile
index 0731e89..63b4d24 100644
--- a/checkpolicy/test/Makefile
+++ b/checkpolicy/test/Makefile
@@ -3,7 +3,7 @@
 #
 PREFIX ?= $(DESTDIR)/usr
 BINDIR=$(PREFIX)/bin
-LIBDIR=$(PREFIX)/lib
+LIBDIR ?= $(PREFIX)/lib
 INCLUDEDIR ?= $(PREFIX)/include
 
 CFLAGS ?= -g -Wall -W -Werror -O2 -pipe
-- 
1.8.2.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 05/16] libsepol: Allow overriding LIBBASE in src/Makefile

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

---
 libsepol/src/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile
index cd8e767..79de6dc 100644
--- a/libsepol/src/Makefile
+++ b/libsepol/src/Makefile
@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
 INCLUDEDIR ?= $(PREFIX)/include
 LIBDIR ?= $(PREFIX)/lib
 SHLIBDIR ?= $(DESTDIR)/lib
-LIBBASE=$(shell basename $(LIBDIR))
+LIBBASE ?= $(shell basename $(LIBDIR))
 
 VERSION = $(shell cat ../VERSION)
 LIBVERSION = 1
-- 
1.8.2.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 06/16] libsemanage: Also check for the uppoer bound on user ids in login.defs

[Laurent Bigonville]

From: Manoj Srivastava <srivasta@debian.org>

Some non-Debian packages (like qmail, shudder) create
users not below MIN_UID, but above MAX_UID, in /etc/login.defs
(non-system users are supposed to have uids between MIN_UID and
MAX_UID.

genhomedircon.c:gethomedirs() checks pwent.pw_uid against MIN_UID in
/etc/login.defs to exclude system users from generating homedir
contexts. But unfortunately it does not check it against MAX_UID
setting from the same file. This gets us lines like the following in
the contexts/files/file_contexts.homedirs file:
,----
| #
| # Home Context for user user_u
| #
| /var/qmail/[^/]*/.+ user_u:object_r:user_home_t:s0
| /var/qmail/[^/]*/\.ssh(/.*)? user_u:object_r:user_home_ssh_t:s0
| /var/qmail/[^/]*/\.gnupg(/.+)? user_u:object_r:user_gpg_secret_t:s0
| /var/qmail/[^/]* -d user_u:object_r:user_home_dir_t:s0
| /var/qmail/lost\+found/.* <<none>>
| /var/qmail -d system_u:object_r:home_root_t:s0
| /var/qmail/\.journal <<none>>
| /var/qmail/lost\+found -d system_u:object_r:lost_found_t:s0
| /tmp/gconfd-.* -d user_u:object_r:user_tmp_t:s0
`----
This commit adds checking uid value againt MAX_UID too.
---
 libsemanage/src/genhomedircon.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index 3c81d7a..8af51d3 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -283,8 +283,8 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s)
 	char *rbuf = NULL;
 	char *path = NULL;
 	long rbuflen;
-	uid_t temp, minuid = 500;
-	int minuid_set = 0;
+	uid_t temp, minuid = 500, maxuid = 60000;
+	int minuid_set = 0, maxuid_set = 0;
 	struct passwd pwstorage, *pwbuf;
 	struct stat buf;
 	int retval;
@@ -333,6 +333,15 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s)
 	free(path);
 	path = NULL;
 
+	path = semanage_findval(PATH_ETC_LOGIN_DEFS, "UID_MAX", NULL);
+	if (path && *path) {
+		temp = atoi(path);
+		maxuid = temp;
+		maxuid_set = 1;
+	}
+	free(path);
+	path = NULL;
+
 	path = semanage_findval(PATH_ETC_LIBUSER, "LU_UIDNUMBER", "=");
 	if (path && *path) {
 		temp = atoi(path);
@@ -352,7 +361,7 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s)
 		goto fail;
 	setpwent();
 	while ((retval = getpwent_r(&pwstorage, rbuf, rbuflen, &pwbuf)) == 0) {
-		if (pwbuf->pw_uid < minuid)
+		if (pwbuf->pw_uid < minuid || pwbuf->pw_uid > maxuid)
 			continue;
 		if (!semanage_list_find(shells, pwbuf->pw_shell))
 			continue;
@@ -385,7 +394,7 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s)
 
 			/* NOTE: old genhomedircon printed a warning on match */
 			if (hand.matched) {
-				WARN(s->h_semanage, "%s homedir %s or its parent directory conflicts with a file context already specified in the policy.  This usually indicates an incorrectly defined system account.  If it is a system account please make sure its uid is less than %u or its login shell is /sbin/nologin.", pwbuf->pw_name, pwbuf->pw_dir, minuid);
+				WARN(s->h_semanage, "%s homedir %s or its parent directory conflicts with a file context already specified in the policy.  This usually indicates an incorrectly defined system account.  If it is a system account please make sure its uid is less than %u or greater than %u or its login shell is /sbin/nologin.", pwbuf->pw_name, pwbuf->pw_dir, minuid, maxuid);
 			} else {
 				if (semanage_list_push(&homedir_list, path))
 					goto fail;
-- 
1.8.2.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 07/16] libselinux: Allow overriding LIBBASE in src/Makefile

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

---
 libselinux/src/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index c4f5d4c..2c29277 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -18,7 +18,7 @@ RUBYLIBVER ?= $(shell $(RUBY) -e 'print RUBY_VERSION.split(".")[0..1].join(".")'
 RUBYPLATFORM ?= $(shell $(RUBY) -e 'print RUBY_PLATFORM')
 RUBYINC ?= $(shell pkg-config --cflags ruby)
 RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM)
-LIBBASE=$(shell basename $(LIBDIR))
+LIBBASE ?= $(shell basename $(LIBDIR))
 
 LDFLAGS ?= -lpcre -lpthread
 
-- 
1.8.2.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 08/16] libselinux: Do not use LDFLAGS to set -lpcre and -lpthread

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

This is breaking build if LDFLAGS is redefined.

This is the case on Debian where hardening flags are passed
automatically by the build system.
---
 libselinux/src/Makefile | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 2c29277..8f557a1 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -20,8 +20,6 @@ RUBYINC ?= $(shell pkg-config --cflags ruby)
 RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM)
 LIBBASE ?= $(shell basename $(LIBDIR))
 
-LDFLAGS ?= -lpcre -lpthread
-
 VERSION = $(shell cat ../VERSION)
 LIBVERSION = 1
 
@@ -116,7 +114,7 @@ $(LIBA): $(OBJS)
 	$(RANLIB) $@
 
 $(LIBSO): $(LOBJS)
-	$(CC) $(CFLAGS) -shared -o $@ $^ -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
+	$(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -lpthread -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
 	ln -sf $@ $(TARGET) 
 
 $(LIBPC): $(LIBPC).in ../VERSION
-- 
1.8.2.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 09/16] libselinux: Fix various minor manpage issues and correct section numbering.

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

---
 libselinux/man/man3/security_disable.3     | 4 ++--
 libselinux/man/man3/security_load_policy.3 | 4 ++--
 libselinux/man/man8/getenforce.8           | 2 +-
 libselinux/man/man8/selinuxenabled.8       | 2 +-
 libselinux/man/man8/selinuxexeccon.8       | 2 +-
 libselinux/man/man8/setenforce.8           | 2 +-
 libselinux/man/man8/togglesebool.8         | 2 +-
 7 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3
index aeb78da..c75ce0d 100644
--- a/libselinux/man/man3/security_disable.3
+++ b/libselinux/man/man3/security_disable.3
@@ -17,7 +17,7 @@ and then unmounts
 This function can only be called at runtime and prior to the initial policy
 load. After the initial policy load, the SELinux kernel code cannot be disabled,
 but only placed in "permissive" mode by using
-.BR setenforce (1).
+.BR security_setenforce(3).
 .
 .SH "RETURN VALUE"
 .BR security_disable ()
@@ -27,4 +27,4 @@ returns zero on success or \-1 on error.
 This manual page has been written by Guido Trentalancia <guido@trentalancia.com>
 .
 .SH "SEE ALSO"
-.BR selinux (8), " setenforce "(3)
+.BR selinux (8), " setenforce "(8)
diff --git a/libselinux/man/man3/security_load_policy.3 b/libselinux/man/man3/security_load_policy.3
index c4439bf..af56163 100644
--- a/libselinux/man/man3/security_load_policy.3
+++ b/libselinux/man/man3/security_load_policy.3
@@ -43,7 +43,7 @@ unmounted using a call to
 .BR security_disable (3).
 Therefore, after the initial policy load, the only operational changes
 are those permitted by
-.BR setenforce (3)
+.BR security_setenforce (3)
 (i.e. eventually setting the framework in permissive mode rather than
 in enforcing one).
 .
@@ -54,4 +54,4 @@ Returns zero on success or \-1 on error.
 This manual page has been written by Guido Trentalancia <guido@trentalancia.com>
 .
 .SH "SEE ALSO"
-.BR selinux "(8), " security_disable "(3), " setenforce "(1)
+.BR selinux "(8), " security_disable "(3), " setenforce "(8)
diff --git a/libselinux/man/man8/getenforce.8 b/libselinux/man/man8/getenforce.8
index 906279f..e0924d8 100644
--- a/libselinux/man/man8/getenforce.8
+++ b/libselinux/man/man8/getenforce.8
@@ -1,4 +1,4 @@
-.TH "getenforce" "1" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.TH "getenforce" "8" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
 .SH "NAME"
 getenforce \- get the current mode of SELinux
 .
diff --git a/libselinux/man/man8/selinuxenabled.8 b/libselinux/man/man8/selinuxenabled.8
index e0b5201..ac20587 100644
--- a/libselinux/man/man8/selinuxenabled.8
+++ b/libselinux/man/man8/selinuxenabled.8
@@ -1,4 +1,4 @@
-.TH "selinuxenabled" "1" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.TH "selinuxenabled" "8" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
 .SH "NAME"
 selinuxenabled \- tool to be used within shell scripts to determine if selinux is enabled
 .
diff --git a/libselinux/man/man8/selinuxexeccon.8 b/libselinux/man/man8/selinuxexeccon.8
index 765cf8c..30c20ed 100644
--- a/libselinux/man/man8/selinuxexeccon.8
+++ b/libselinux/man/man8/selinuxexeccon.8
@@ -1,4 +1,4 @@
-.TH "selinuxexeccon" "1" "14 May 2011" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.TH "selinuxexeccon" "8" "14 May 2011" "dwalsh@redhat.com" "SELinux Command Line documentation"
 .SH "NAME"
 selinuxexeccon \- report SELinux context used for this executable
 .
diff --git a/libselinux/man/man8/setenforce.8 b/libselinux/man/man8/setenforce.8
index b038da0..8a24f1c 100644
--- a/libselinux/man/man8/setenforce.8
+++ b/libselinux/man/man8/setenforce.8
@@ -1,4 +1,4 @@
-.TH "setenforce" "1" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.TH "setenforce" "8" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
 .SH "NAME"
 setenforce \- modify the mode SELinux is running in
 .
diff --git a/libselinux/man/man8/togglesebool.8 b/libselinux/man/man8/togglesebool.8
index 948aff1..598dc94 100644
--- a/libselinux/man/man8/togglesebool.8
+++ b/libselinux/man/man8/togglesebool.8
@@ -1,4 +1,4 @@
-.TH "togglesebool" "1" "26 Oct 2004" "sgrubb@redhat.com" "SELinux Command Line documentation"
+.TH "togglesebool" "8" "26 Oct 2004" "sgrubb@redhat.com" "SELinux Command Line documentation"
 .SH "NAME"
 togglesebool \- flip the current value of a SELinux boolean
 .
-- 
1.8.2.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 10/16] checkpolicy: Fix cases where hyphen were used as minus sign in manpages

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

---
 checkpolicy/checkmodule.8 | 6 +++---
 checkpolicy/checkpolicy.8 | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/checkpolicy/checkmodule.8 b/checkpolicy/checkmodule.8
index 40f73c5..2a7ab5c 100644
--- a/checkpolicy/checkmodule.8
+++ b/checkpolicy/checkmodule.8
@@ -3,7 +3,7 @@
 checkmodule \- SELinux policy module compiler
 .SH SYNOPSIS
 .B checkmodule
-.I "[-h] [-b] [-m] [-M] [-U handle_unknown ] [-V] [-o output_file] [input_file]"
+.I "[\-h] [\-b] [\-m] [\-M] [\-U handle_unknown ] [\-V] [\-o output_file] [input_file]"
 .SH "DESCRIPTION"
 This manual page describes the
 .BR checkmodule
@@ -12,7 +12,7 @@ command.
 .B checkmodule
 is a program that checks and compiles a SELinux security policy module
 into a binary representation.  It can generate either a base policy
-module (default) or a non-base policy module (-m option); typically,
+module (default) or a non-base policy module (\-m option); typically,
 you would build a non-base policy module to add to an existing module
 store that already has a base module provided by the base policy.  Use
 semodule_package to combine this module with its optional file
@@ -48,7 +48,7 @@ Specify how the kernel should handle unknown classes or permissions (deny, allow
 .SH EXAMPLE
 .nf
 # Build a MLS/MCS-enabled non-base policy module.
-$ checkmodule -M -m httpd.te -o httpd.mod
+$ checkmodule \-M \-m httpd.te \-o httpd.mod
 .fi
 
 .SH "SEE ALSO"
diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8
index 6826938..0086bdc 100644
--- a/checkpolicy/checkpolicy.8
+++ b/checkpolicy/checkpolicy.8
@@ -3,7 +3,7 @@
 checkpolicy \- SELinux policy compiler
 .SH SYNOPSIS
 .B checkpolicy
-.I "[-b] [-d] [-M] [-c policyvers] [-o output_file] [input_file]"
+.I "[\-b] [\-d] [\-M] [\-c policyvers] [\-o output_file] [input_file]"
 .br
 .SH "DESCRIPTION"
 This manual page describes the
@@ -14,7 +14,7 @@ command.
 is a program that checks and compiles a SELinux security policy configuration
 into a binary representation that can be loaded into the kernel.  If no 
 input file name is specified, checkpolicy will attempt to read from
-policy.conf or policy, depending on whether the -b flag is specified.
+policy.conf or policy, depending on whether the \-b flag is specified.
 
 .SH OPTIONS
 .TP
-- 
1.8.2.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 11/16] libsemanage: Fix cases where hyphen were used as minus sign in manpages

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

---
 libsemanage/man/man3/semanage_bool_set_active.3 | 2 +-
 libsemanage/man/man3/semanage_count.3           | 2 +-
 libsemanage/man/man3/semanage_del.3             | 2 +-
 libsemanage/man/man3/semanage_exists.3          | 2 +-
 libsemanage/man/man3/semanage_iterate.3         | 4 ++--
 libsemanage/man/man3/semanage_list.3            | 2 +-
 libsemanage/man/man3/semanage_modify.3          | 2 +-
 libsemanage/man/man3/semanage_query.3           | 2 +-
 libsemanage/man/man3/semanage_set_root.3        | 2 +-
 9 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/libsemanage/man/man3/semanage_bool_set_active.3 b/libsemanage/man/man3/semanage_bool_set_active.3
index 026e29d..d868fe8 100644
--- a/libsemanage/man/man3/semanage_bool_set_active.3
+++ b/libsemanage/man/man3/semanage_bool_set_active.3
@@ -40,7 +40,7 @@ This function requires an semanage connection to be established (see
 ).
 
 .SH "RETURN VALUE"
-In case of failure, -1 is returned, and the semanage error callback is invoked, describing the error.
+In case of failure, \-1 is returned, and the semanage error callback is invoked, describing the error.
 Otherwise 0 is returned.
 
 .SH "SEE ALSO"
diff --git a/libsemanage/man/man3/semanage_count.3 b/libsemanage/man/man3/semanage_count.3
index b131cbe..b865a21 100644
--- a/libsemanage/man/man3/semanage_count.3
+++ b/libsemanage/man/man3/semanage_count.3
@@ -33,7 +33,7 @@ This function requires an semanage connection to be established (see
 )
 
 .SH "RETURN VALUE"
-In case of failure, -1 is returned, and the semanage error callback is invoked, describing the error.
+In case of failure, \-1 is returned, and the semanage error callback is invoked, describing the error.
 Otherwise a non-negative integer is returned (a commit number). The same number will be returned by all other semanage object read calls until the next commit.
 
 .SH "SEE ALSO"
diff --git a/libsemanage/man/man3/semanage_del.3 b/libsemanage/man/man3/semanage_del.3
index 5b11ce3..4dd0a77 100644
--- a/libsemanage/man/man3/semanage_del.3
+++ b/libsemanage/man/man3/semanage_del.3
@@ -40,7 +40,7 @@ This function requires an semanage connection to be established (see
 ).
 
 .SH "RETURN VALUE"
-In case of failure, -1 is returned, and the semanage error callback is invoked, describing the error.
+In case of failure, \-1 is returned, and the semanage error callback is invoked, describing the error.
 Otherwise 0 is returned.
 
 .SH "SEE ALSO"
diff --git a/libsemanage/man/man3/semanage_exists.3 b/libsemanage/man/man3/semanage_exists.3
index da401c2..6d68c76 100644
--- a/libsemanage/man/man3/semanage_exists.3
+++ b/libsemanage/man/man3/semanage_exists.3
@@ -38,7 +38,7 @@ This function requires an semanage connection to be established (see
 )
 
 .SH "RETURN VALUE"
-In case of failure, -1 is returned, and the semanage error callback is invoked, describing the error.
+In case of failure, \-1 is returned, and the semanage error callback is invoked, describing the error.
 Otherwise a non-negative integer is returned (a commit number). The same number will be returned by all other read calls to the semanage database until the next commit.
 
 .SH "SEE ALSO"
diff --git a/libsemanage/man/man3/semanage_iterate.3 b/libsemanage/man/man3/semanage_iterate.3
index 8773800..1528164 100644
--- a/libsemanage/man/man3/semanage_iterate.3
+++ b/libsemanage/man/man3/semanage_iterate.3
@@ -31,7 +31,7 @@ if that is necessary.
 
 The handler code may not invoke any semanage write requests for the same object type (i.e. modifying the underlying store is not allowed). The iterate function is reentrant only while inside a transaction (see
 .B semanage_begin_transaction
-). It is not safe to execute other semanage read or write requests within iterate if not inside a transaction. The handler may return -1 to signal error exit, 0 to signal continue, and 1 to signal successful exit early (the iterate function will stop accordingly). 
+). It is not safe to execute other semanage read or write requests within iterate if not inside a transaction. The handler may return \-1 to signal error exit, 0 to signal continue, and 1 to signal successful exit early (the iterate function will stop accordingly).
 
 .TP
 .B Parameters:
@@ -50,7 +50,7 @@ This function requires an semanage connection to be established (see
 )
 
 .SH "RETURN VALUE"
-In case of failure, -1 is returned, and the semanage error callback is invoked, describing the error.
+In case of failure, \-1 is returned, and the semanage error callback is invoked, describing the error.
 Otherwise a non-negative integer is returned (a commit number). The same number will be returned by all other semanage object read calls until the next commit.
 
 .SH "SEE ALSO"
diff --git a/libsemanage/man/man3/semanage_list.3 b/libsemanage/man/man3/semanage_list.3
index 9376702..acc161f 100644
--- a/libsemanage/man/man3/semanage_list.3
+++ b/libsemanage/man/man3/semanage_list.3
@@ -39,7 +39,7 @@ This function requires an semanage connection to be established (see
 )
 
 .SH "RETURN VALUE"
-In case of failure, -1 is returned, and the semanage error callback is invoked, describing the error.
+In case of failure, \-1 is returned, and the semanage error callback is invoked, describing the error.
 Otherwise a non-negative integer is returned (a commit number). The same number will be returned by all other semanage object read calls until the next commit.
 
 .SH "SEE ALSO"
diff --git a/libsemanage/man/man3/semanage_modify.3 b/libsemanage/man/man3/semanage_modify.3
index 04bd801..ee23900 100644
--- a/libsemanage/man/man3/semanage_modify.3
+++ b/libsemanage/man/man3/semanage_modify.3
@@ -42,7 +42,7 @@ This function requires an semanage connection to be established (see
 ).
 
 .SH "RETURN VALUE"
-In case of failure, -1 is returned, and the semanage error callback is invoked, describing the error.
+In case of failure, \-1 is returned, and the semanage error callback is invoked, describing the error.
 Otherwise 0 is returned.
 
 .SH "SEE ALSO"
diff --git a/libsemanage/man/man3/semanage_query.3 b/libsemanage/man/man3/semanage_query.3
index 1a6cdb2..e61c8b8 100644
--- a/libsemanage/man/man3/semanage_query.3
+++ b/libsemanage/man/man3/semanage_query.3
@@ -39,7 +39,7 @@ This function requires an semanage connection to be established (see
 )
 
 .SH "RETURN VALUE"
-In case of failure, -1 is returned, and the semanage error callback is invoked, describing the error.
+In case of failure, \-1 is returned, and the semanage error callback is invoked, describing the error.
 Otherwise a non-negative integer is returned (a commit number). The same number will be returned by all other semanage object read calls until the next commit.
 
 .SH "SEE ALSO"
diff --git a/libsemanage/man/man3/semanage_set_root.3 b/libsemanage/man/man3/semanage_set_root.3
index 2ae0f17..664822e 100644
--- a/libsemanage/man/man3/semanage_set_root.3
+++ b/libsemanage/man/man3/semanage_set_root.3
@@ -15,7 +15,7 @@ Set the alternate root directory for SELinux configuration directory.
 This function sets an alternate root directory to for SELinux configuration paths to be used by the semanage library.
 
 .SH "RETURN VALUE"
-In case of failure, -1 is returned.
+In case of failure, \-1 is returned.
 Otherwise 0 is returned.
 
 .SH "SEE ALSO"
-- 
1.8.2.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 12/16] libsepol: Fix cases where hyphen were used as minus sign in manpages

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

---
 libsepol/man/man3/sepol_check_context.3 | 2 +-
 libsepol/man/man3/sepol_genbools.3      | 2 +-
 libsepol/man/man3/sepol_genusers.3      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/libsepol/man/man3/sepol_check_context.3 b/libsepol/man/man3/sepol_check_context.3
index a63cd56..4a3c57d 100644
--- a/libsepol/man/man3/sepol_check_context.3
+++ b/libsepol/man/man3/sepol_check_context.3
@@ -22,4 +22,4 @@ policy on a SELinux system, use
 from libselinux instead.
 
 .SH "RETURN VALUE"
-Returns 0 on success or -1 with errno set otherwise.
+Returns 0 on success or \-1 with errno set otherwise.
diff --git a/libsepol/man/man3/sepol_genbools.3 b/libsepol/man/man3/sepol_genbools.3
index 0a30137..ca5b5a6 100644
--- a/libsepol/man/man3/sepol_genbools.3
+++ b/libsepol/man/man3/sepol_genbools.3
@@ -21,7 +21,7 @@ does likewise, but obtains the boolean settings from the parallel arrays
 (names, values) with nel elements each.
 
 .SH "RETURN VALUE"
-Returns 0 on success or -1 otherwise, with errno set appropriately.
+Returns 0 on success or \-1 otherwise, with errno set appropriately.
 An errno of ENOENT indicates that the boolean file did not exist.
 An errno of EINVAL indicates that one or more booleans listed in the
 boolean file was undefined in the policy or had an invalid value specified;
diff --git a/libsepol/man/man3/sepol_genusers.3 b/libsepol/man/man3/sepol_genusers.3
index 05dff00..1f820ff 100644
--- a/libsepol/man/man3/sepol_genusers.3
+++ b/libsepol/man/man3/sepol_genusers.3
@@ -44,7 +44,7 @@ set to 1 prior to calling
 in order to enable deletion of such users.
 
 .SH "RETURN VALUE"
-Returns 0 on success or -1 otherwise, with errno set appropriately.
+Returns 0 on success or \-1 otherwise, with errno set appropriately.
 An errno of ENOENT indicates that one or both of the user
 configuration files did not exist.  An errno of EINVAL indicates that
 either the original binary policy image or the generated one were
-- 
1.8.2.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 13/16] policycoreutils: Fix cases where hyphen were used as minus sign in manpages

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

And also other minor formating issues
---
 policycoreutils/audit2allow/audit2allow.1          | 32 +++++++--------
 policycoreutils/man/man5/selinux_config.5          |  2 +-
 policycoreutils/mcstrans/man/man8/mcs.8            |  2 +-
 policycoreutils/newrole/newrole.1                  | 24 +++++------
 policycoreutils/scripts/chcat.8                    |  4 +-
 policycoreutils/scripts/fixfiles.8                 | 22 +++++-----
 policycoreutils/scripts/genhomedircon.8            |  2 +-
 policycoreutils/semanage/semanage.8                | 48 +++++++++++-----------
 policycoreutils/semodule/semodule.8                | 16 ++++----
 policycoreutils/semodule_deps/semodule_deps.8      |  6 +--
 .../semodule_package/semodule_package.8            |  8 ++--
 policycoreutils/sestatus/sestatus.conf.5           |  2 +-
 policycoreutils/setfiles/restorecon.8              |  4 ++
 policycoreutils/setfiles/setfiles.8                |  4 +-
 policycoreutils/setsebool/setsebool.8              |  8 ++--
 15 files changed, 94 insertions(+), 90 deletions(-)

diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index a854a45..bb607c3 100644
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@@ -29,7 +29,7 @@
 \- generate SELinux policy allow/dontaudit rules from logs of denied operations
 
 .BR audit2why  
-\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
+\- translates SELinux audit messages into a description of why the access was denied (audit2allow \-w)
 
 .SH SYNOPSIS
 .B audit2allow
@@ -37,16 +37,16 @@
 .SH OPTIONS
 .TP
 .B "\-a" | "\-\-all"
-Read input from audit and message log, conflicts with -i
+Read input from audit and message log, conflicts with \-i
 .TP
 .B "\-b" | "\-\-boot"
-Read input from audit messages since last boot conflicts with -i
+Read input from audit messages since last boot conflicts with \-i
 .TP
 .B "\-d" | "\-\-dmesg"
 Read input from output of 
 .I /bin/dmesg.
 Note that all audit messages are not available via dmesg when
-auditd is running; use "ausearch -m avc | audit2allow"  or "-a" instead.
+auditd is running; use "ausearch \-m avc | audit2allow"  or "\-a" instead.
 .TP
 .B "\-D" | "\-\-dontaudit"
 Generate dontaudit rules (Default: allow)
@@ -65,7 +65,7 @@ read input only after last policy reload
 Generate module/require output <modulename>
 .TP
 .B "\-M <modulename>" 
-Generate loadable module package, conflicts with -o
+Generate loadable module package, conflicts with \-o
 .TP
 .B "\-p <policyfile>"  | "\-\-policy <policyfile>"
 Policy file to use for analysis
@@ -123,7 +123,7 @@ an 'allow' rule.
 .PP
 .B Using audit2allow to generate module policy
 
-$ cat /var/log/audit/audit.log | audit2allow -m local > local.te
+$ cat /var/log/audit/audit.log | audit2allow \-m local > local.te
 $ cat local.te
 module local 1.0;
 
@@ -141,7 +141,7 @@ allow myapp_t etc_t:file { getattr open read };
 
 .B Using audit2allow to generate module policy using reference policy
 
-$ cat /var/log/audit/audit.log | audit2allow -R -m local > local.te
+$ cat /var/log/audit/audit.log | audit2allow \-R \-m local > local.te
 $ cat local.te
 policy_module(local, 1.0)
 
@@ -157,30 +157,30 @@ files_read_etc_files(myapp_t)
 
 # SELinux provides a policy devel environment under /usr/share/selinux/devel
 # You can create a te file and compile it by executing
-$ make -f /usr/share/selinux/devel/Makefile
-$ semodule -i local.pp
+$ make \-f /usr/share/selinux/devel/Makefile
+$ semodule \-i local.pp
 
 .B Building module policy manually
 
 # Compile the module
-$ checkmodule -M -m -o local.mod local.te
+$ checkmodule \-M \-m \-o local.mod local.te
 # Create the package 
-$ semodule_package -o local.pp -m local.mod
+$ semodule_package \-o local.pp \-m local.mod
 # Load the module into the kernel
-$ semodule -i local.pp
+$ semodule \-i local.pp
 
 .B Using audit2allow to generate and build module policy
-$ cat /var/log/audit/audit.log | audit2allow -M local
+$ cat /var/log/audit/audit.log | audit2allow \-M local
 Generating type enforcment file: local.te
-Compiling policy: checkmodule -M -m -o local.mod local.te
-Building package: semodule_package -o local.pp -m local.mod
+Compiling policy: checkmodule \-M \-m \-o local.mod local.te
+Building package: semodule_package \-o local.pp \-m local.mod
 
 ******************** IMPORTANT ***********************
 
 In order to load this newly created policy package into the kernel,
 you are required to execute
 
-semodule -i local.pp
+semodule \-i local.pp
 
 .B Using audit2allow to generate monolithic (non-module) policy
 $ cd /etc/selinux/$SELINUXTYPE/src/policy
diff --git a/policycoreutils/man/man5/selinux_config.5 b/policycoreutils/man/man5/selinux_config.5
index 4963cdc..43f1ce4 100644
--- a/policycoreutils/man/man5/selinux_config.5
+++ b/policycoreutils/man/man5/selinux_config.5
@@ -122,7 +122,7 @@ This is an optional entry that allows the file system to be relabeled.
 .sp
 If set to \fI0\fR and there is a file called \fI.autorelabel\fR in the root directory, then on a reboot, the loader will drop to a shell where a root login is required. An administrator can then manually relabel the file system.
 .sp
-If set to \fI1\fR or no entry present (the default) and there is a \fI.autorelabel\fR file in the root directory, then the file system will be automatically relabeled using \fBfixfiles -F restore\fR
+If set to \fI1\fR or no entry present (the default) and there is a \fI.autorelabel\fR file in the root directory, then the file system will be automatically relabeled using \fBfixfiles \-F restore\fR
 .sp
 In both cases the \fI/.autorelabel\fR file will be removed so that relabeling is not done again.
 .RE
diff --git a/policycoreutils/mcstrans/man/man8/mcs.8 b/policycoreutils/mcstrans/man/man8/mcs.8
index 44126bf..aeaf22e 100644
--- a/policycoreutils/mcstrans/man/man8/mcs.8
+++ b/policycoreutils/mcstrans/man/man8/mcs.8
@@ -20,7 +20,7 @@ readable form.   Administrators can define any labels they want in this file.
 Certain applications like printing and auditing will use these labels to 
 identify the files.  By setting a category on a file you will prevent 
 other applications/services from having access to the files.
-.p
+.P
 Examples of file labels would be PatientRecord, CompanyConfidential etc.
 
 .SH "SEE ALSO"
diff --git a/policycoreutils/newrole/newrole.1 b/policycoreutils/newrole/newrole.1
index 376c458..c47bc52 100644
--- a/policycoreutils/newrole/newrole.1
+++ b/policycoreutils/newrole/newrole.1
@@ -44,7 +44,7 @@ Additional arguments
 .I ARGS
 may be provided after a -- option,
 in which case they are supplied to the new shell.
-In particular, an argument of -- -c will cause the next argument to be
+In particular, an argument of \-\- \-c will cause the next argument to be
 treated as a command by most command interpreters.
 .PP
 If a command argument is specified to newrole and the command name is found
@@ -66,31 +66,31 @@ shows the current version of newrole
 .SH EXAMPLE
 .br
 Changing role:
-   # id -Z
+   # id \-Z
    staff_u:staff_r:staff_t:SystemLow-SystemHigh
-   # newrole -r sysadm_r
-   # id -Z
+   # newrole \-r sysadm_r
+   # id \-Z
    staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
 
 Changing sensitivity only:
-   # id -Z
+   # id \-Z
    staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
-   # newrole -l Secret
-   # id -Z
+   # newrole \-l Secret
+   # id \-Z
    staff_u:sysadm_r:sysadm_t:Secret-SystemHigh
 
 .PP
 Changing sensitivity and clearance:
-   # id -Z
+   # id \-Z
    staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
-   # newrole -l Secret-Secret
-   # id -Z
+   # newrole \-l Secret-Secret
+   # id \-Z
    staff_u:sysadm_r:sysadm_t:Secret
 
 .PP
 Running a program in a given role or level:
-   # newrole -r sysadm_r -- -c "/path/to/app arg1 arg2..."
-   # newrole -l Secret -- -c "/path/to/app arg1 arg2..."
+   # newrole \-r sysadm_r \-\- \-c "/path/to/app arg1 arg2..."
+   # newrole \-l Secret \-\- \-c "/path/to/app arg1 arg2..."
 
 .SH FILES
 /etc/passwd - user account information
diff --git a/policycoreutils/scripts/chcat.8 b/policycoreutils/scripts/chcat.8
index 7c6d75a..d095a25 100644
--- a/policycoreutils/scripts/chcat.8
+++ b/policycoreutils/scripts/chcat.8
@@ -21,7 +21,7 @@ chcat \- change file SELinux security category
 [\fI-d\fR] \fIuser\fR...
 .br
 .B chcat
-\fI-L\fR [ -l ] [ user ... ] 
+\fI-L\fR [ \-l ] [ user ... ]
 .br
 .SH DESCRIPTION
 .PP
@@ -31,7 +31,7 @@ Use +/- to add/remove categories from a \fIfile\fR or \fIuser\fR.
 .PP
 .B
 Note:
-When removing a category you must specify '--' on the command line before using the -Category syntax.  This tells the command that you have finished entering options and are now specifying a category name instead.
+When removing a category you must specify '\-\-' on the command line before using the \-Category syntax.  This tells the command that you have finished entering options and are now specifying a category name instead.
 
 .TP
 \fB\-d\fR
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index 9ab7334..2ac0073 100644
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@@ -5,13 +5,13 @@ fixfiles \- fix file SELinux security contexts.
 .SH "SYNOPSIS"
 
 .B fixfiles 
-.I [-v] [-F] [-l logfile ] { check | restore|[-f] relabel | verify } [[dir/file] ... ] 
+.I [\-v] [\-F] [\-l logfile ] { check | restore|[\-f] relabel | verify } [[dir/file] ... ]
 
 .B fixfiles 
-.I [-v] [-F] [ -R rpmpackagename[,rpmpackagename...] ] [-l logfile ] { check | restore | verify }
+.I [\-v] [\-F] [ \-R rpmpackagename[,rpmpackagename...] ] [\-l logfile ] { check | restore | verify }
 
 .B fixfiles 
-.I [-v] [ -C PREVIOUS_FILECONTEXT ] [-l logfile ] { check | restore | verify }
+.I [\-v] [ \-C PREVIOUS_FILECONTEXT ] [\-l logfile ] { check | restore | verify }
 
 .B fixfiles 
 .I onboot
@@ -28,7 +28,7 @@ It can also be run at any time to relabel when adding support for
 new policy, or  just check whether the file contexts are all
 as you expect.  By default it will relabel all mounted ext2, ext3, xfs and 
 jfs file systems as long as they do not have a security context mount 
-option.  You can use the -R flag to use rpmpackages as an alternative.
+option.  You can use the \-R flag to use rpmpackages as an alternative.
 The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
 excluded from relabelling.
 .P
@@ -37,21 +37,21 @@ will setup the machine to relabel on the next reboot.
 
 .SH "OPTIONS"
 .TP 
-.B -l logfile
+.B \-l logfile
 Save the output to the specified logfile
 .TP 
-.B -F
-Force  reset  of  context to match file_context for customizable files
+.B \-F
+Force reset of context to match file_context for customizable files
 
 .TP 
-.B -f
+.B \-f
 Clear /tmp directory with out prompt for removal.
 
 .TP 
-.B -R rpmpackagename[,rpmpackagename...]
-Use the rpm database to discover all files within the specified packages and restore the file contexts.  (-a will get all files in the RPM database).
+.B \-R rpmpackagename[,rpmpackagename...]
+Use the rpm database to discover all files within the specified packages and restore the file contexts.  (\-a will get all files in the RPM database).
 .TP
-.B -C PREVIOUS_FILECONTEXT
+.B \-C PREVIOUS_FILECONTEXT
 Run a diff on  the PREVIOUS_FILECONTEXT file to the currently installed one, and restore the context of all affected files.
 
 .TP 
diff --git a/policycoreutils/scripts/genhomedircon.8 b/policycoreutils/scripts/genhomedircon.8
index 8ec509c..08e3bad 100644
--- a/policycoreutils/scripts/genhomedircon.8
+++ b/policycoreutils/scripts/genhomedircon.8
@@ -1,4 +1,4 @@
-.TH GENHOMEDIRCON "12" "Sep 2011" "Security Enhanced Linux" "SELinux"
+.TH GENHOMEDIRCON "8" "Sep 2011" "Security Enhanced Linux" "SELinux"
 .SH NAME
 genhomedircon \- generate SELinux file context configuration entries for user home directories
 .SH SYNOPSIS
diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8
index 28a9022..4d84ec0 100644
--- a/policycoreutils/semanage/semanage.8
+++ b/policycoreutils/semanage/semanage.8
@@ -5,16 +5,16 @@ semanage \- SELinux Policy Management tool
 .SH "SYNOPSIS"
 Output local customizations
 .br
-.B semanage [ -S store ] -o [ output_file | - ]
+.B semanage [ -S store ] \-o [ output_file | \- ]
 
 Input local customizations
 .br
-.B semanage [ -S store ] -i [ input_file | - ]
+.B semanage [ -S store ] \-i [ input_file | \- ]
 
 Manage booleans.  Booleans allow the administrator to modify the confinement of
 processes based on his configuration.
 .br
-.B semanage boolean [\-S store] \-{d|m|l|D} [\-nN] [\-\-on|\-\-off|\-\1|\-0] -F boolean | boolean_file
+.B semanage boolean [\-S store] \-{d|m|l|D} [\-nN] [\-\-on|\-\-off|\-\1|\-0] \-F boolean | boolean_file
 
 Manage SELinux confined users (Roles and levels for an SELinux user)
 .br
@@ -26,7 +26,7 @@ Manage login mappings between linux users and SELinux confined users.
 
 Manage policy modules.
 .br
-.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] [\-N] module_name
+.B semanage module [\-S store] \-{a|d|l} [\-m [\-\-enable | \-\-disable] ] [\-N] module_name
 
 Manage network port type definitions
 .br
@@ -39,7 +39,7 @@ Manage network interface type definitions
 
 Manage network node type definitions
 .br
-.B semanage node [\-S store] -{a|d|m|l|D} [-nNrt] [ -p protocol ] [-M netmask] address
+.B semanage node [\-S store] \-{a|d|m|l|D} [\-nNrt] [ \-p protocol ] [\-M netmask] address
 .br
 
 Manage file context mapping definitions
@@ -97,12 +97,12 @@ Delete a OBJECT record NAME
 Remove all OBJECTS local customizations
 .TP
 .I                \-\-disable
-Disable a policy module, requires -m option
+Disable a policy module, requires \-m option
 
 Currently modules only.
 .TP
 .I                \-\-enable
-Enable a disabled policy module, requires -m option
+Enable a disabled policy module, requires \-m option
 
 Currently modules only.
 .TP
@@ -114,7 +114,7 @@ defined for the source.
 .TP
 .I                \-f, \-\-ftype
 File Type.   This is used with fcontext.
-Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
+Requires a file type as shown in the mode field by ls, e.g. use \-d to match only directories or \-\- to match only regular files.
 .TP
 .I                \-F, \-\-file
 Set multiple records from the input file.  When used with the \-l \-\-list, it will output the current settings to stdout in the proper format.
@@ -174,42 +174,42 @@ Take a set of commands from a specified file and load them in a single
 transaction.
 .TP
 .I                \-o, \-\-output
-Output all local customizations into a file. This file than can be used with the semanage -i command to customize other machines to match the local machine.
+Output all local customizations into a file. This file than can be used with the semanage \-i command to customize other machines to match the local machine.
 
 .SH EXAMPLE
 .nf
 .B SELinux user
 List SELinux users
-# semanage user -l
+# semanage user \-l
 
 .B SELinux login
 Change joe to login as staff_u
-# semanage login -a -s staff_u joe
+# semanage login \-a \-s staff_u joe
 Change the group clerks to login as user_u
-# semanage login -a -s user_u %clerks
+# semanage login \-a \-s user_u %clerks
 
 .B File contexts
-.i remember to run restorecon after you set the file context
+.I remember to run restorecon after you set the file context
 Add file-context for everything under /web
-# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
-# restorecon -R -v /web
+# semanage fcontext \-a \-t httpd_sys_content_t "/web(/.*)?"
+# restorecon \-R \-v /web
 
 Substitute /home1 with /home when setting file context
-# semanage fcontext -a -e /home /home1
-# restorecon -R -v /home1
+# semanage fcontext \-a \-e /home /home1
+# restorecon \-R \-v /home1
 
 For home directories under top level directory, for example /disk6/home,
 execute the following commands.
-# semanage fcontext -a -t home_root_t "/disk6"
-# semanage fcontext -a -e /home /disk6/home
-# restorecon -R -v /disk6
+# semanage fcontext \-a \-t home_root_t "/disk6"
+# semanage fcontext \-a \-e /home /disk6/home
+# restorecon \-R \-v /disk6
 
 .B Port contexts
 Allow Apache to listen on tcp port 81
-# semanage port -a -t http_port_t -p tcp 81
+# semanage port \-a \-t http_port_t \-p tcp 81
 
 .B Change apache to a permissive domain
-# semanage permissive -a httpd_t
+# semanage permissive \-a httpd_t
 
 .B Turn off dontaudit rules
 # semanage dontaudit off
@@ -219,10 +219,10 @@ Multiple machines that need the same customizations.
 Extract customizations off first machine, copy them
 to second and import them.
 
-# semanage -o /tmp/local.selinux
+# semanage \-o /tmp/local.selinux
 # scp /tmp/local.selinux secondmachine:/tmp
 # ssh secondmachine
-# semanage -i /tmp/local.selinux
+# semanage \-i /tmp/local.selinux
 
 If these customizations include file context, you need to apply the
 context using restorecon.
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index 9f911fb..35277e9 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -21,7 +21,7 @@ by semodule_package.  Conventionally, these files have a .pp suffix
 force a reload of policy
 .TP
 .B \-B, \-\-build		
-force a rebuild of policy (also reloads unless -n is used)
+force a rebuild of policy (also reloads unless \-n is used)
 .TP
 .B \-D, \-\-disable_dontaudit
 Temporarily remove dontaudits from policy.  Reverts whenever policy is rebuilt
@@ -65,19 +65,19 @@ be verbose
 .SH EXAMPLE
 .nf
 # Install or replace a base policy package.
-$ semodule -b base.pp
+$ semodule \-b base.pp
 # Install or replace a non-base policy package.
-$ semodule -i httpd.pp
+$ semodule \-i httpd.pp
 # List non-base modules.
-$ semodule -l
+$ semodule \-l
 # Turn on all AVC Messages for which SELinux currently is "dontaudit"ing.
-$ semodule -DB
+$ semodule \-DB
 # Turn "dontaudit" rules back on.
-$ semodule -B
+$ semodule \-B
 # Install or replace all non-base modules in the current directory.
-$ semodule -i *.pp
+$ semodule \-i *.pp
 # Install or replace all modules in the current directory.
-$ ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -b base.pp -i
+$ ls *.pp | grep \-Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule \-b base.pp \-i
 .fi
 
 .SH SEE ALSO
diff --git a/policycoreutils/semodule_deps/semodule_deps.8 b/policycoreutils/semodule_deps/semodule_deps.8
index 86b7b3c..6f21a64 100644
--- a/policycoreutils/semodule_deps/semodule_deps.8
+++ b/policycoreutils/semodule_deps/semodule_deps.8
@@ -3,7 +3,7 @@
 semodule_deps \- show the dependencies between SELinux policy packages.
 
 .SH SYNOPSIS
-.B semodule_deps [-v -g -b] basemodpkg modpkg1 [modpkg2 ... ]
+.B semodule_deps [\-v \-g \-b] basemodpkg modpkg1 [modpkg2 ... ]
 .br
 .SH DESCRIPTION
 .PP
@@ -19,12 +19,12 @@ general this means that the list of modules will usually be
 quite long.
 
 By default options to the base module are excluded as almost every
-module has this dependency. The -b option will include these
+module has this dependency. The \-b option will include these
 dependencies.
 
 In addition to human readable output, semodule_deps can output the
 dependencies in the Graphviz dot format (http://www.graphviz.org/)
-using the -g option. This is useful for producing a picture of the
+using the \-g option. This is useful for producing a picture of the
 dependencies.
 
 .SH "OPTIONS"
diff --git a/policycoreutils/semodule_package/semodule_package.8 b/policycoreutils/semodule_package/semodule_package.8
index ddad2d2..563d526 100644
--- a/policycoreutils/semodule_package/semodule_package.8
+++ b/policycoreutils/semodule_package/semodule_package.8
@@ -3,7 +3,7 @@
 semodule_package \- Create a SELinux policy module package.
 
 .SH SYNOPSIS
-.B semodule_package -o <output file> -m <module> [-f <file contexts>]
+.B semodule_package \-o <output file> \-m <module> [\-f <file contexts>]
 .br
 .SH DESCRIPTION
 .PP
@@ -16,11 +16,11 @@ be installed via semodule.
 .SH EXAMPLE
 .nf
 # Build a policy package for a base module.
-$ semodule_package -o base.pp -m base.mod -f file_contexts
+$ semodule_package \-o base.pp \-m base.mod \-f file_contexts
 # Build a policy package for a httpd module.
-$ semodule_package -o httpd.pp -m httpd.mod -f httpd.fc
+$ semodule_package \-o httpd.pp \-m httpd.mod \-f httpd.fc
 # Build a policy package for local TE rules and no file contexts.
-$ semodule_package -o local.pp -m local.mod 
+$ semodule_package \-o local.pp \-m local.mod
 .fi
 
 .SH "OPTIONS"
diff --git a/policycoreutils/sestatus/sestatus.conf.5 b/policycoreutils/sestatus/sestatus.conf.5
index d2bb3fe..acfedf6 100644
--- a/policycoreutils/sestatus/sestatus.conf.5
+++ b/policycoreutils/sestatus/sestatus.conf.5
@@ -49,7 +49,7 @@ The start of the file list block.
 .RE
 .I file_name
 .RS
-One or more fully qualified file names, each on a new line will that will have its context displayed. If the file does not exist, then it is ignored. If the file is a symbolic link, then \fBsestatus -v\fR will also display the target file context.
+One or more fully qualified file names, each on a new line will that will have its context displayed. If the file does not exist, then it is ignored. If the file is a symbolic link, then \fBsestatus \-v\fR will also display the target file context.
 .RE
 .sp
 .B [process]
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index 80b6d6e..dff06d8 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -26,6 +26,10 @@ If a file object does not have a context, restorecon will write the default
 context to the file object's extended attributes. If a file object has a
 context, restorecon will only modify the type portion of the security context.
 The -F option will force a replacement of the entire context.
+.P
+It is the same executable as
+.BR setfiles
+but operates in a slightly different manner depending on it's argv[0].
 
 .SH "OPTIONS"
 .TP
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index 89d2a49..c405c63 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -4,7 +4,7 @@ setfiles \- set SELinux file security contexts.
 
 .SH "SYNOPSIS"
 .B setfiles
-.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname...
+.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-p] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname...
 .SH "DESCRIPTION"
 This manual page describes the
 .BR setfiles
@@ -23,7 +23,7 @@ check whether the file contexts are all set as specified by the active policy
 If a file object does not have a context, setfiles will write the default
 context to the file object's extended attributes. If a file object has a
 context, setfiles will only modify the type portion of the security context.
-The -F option will force a replacement of the entire context.
+The \-F option will force a replacement of the entire context.
 .SH "OPTIONS"
 .TP
 .B \-c
diff --git a/policycoreutils/setsebool/setsebool.8 b/policycoreutils/setsebool/setsebool.8
index 38abeb8..d53f15b 100644
--- a/policycoreutils/setsebool/setsebool.8
+++ b/policycoreutils/setsebool/setsebool.8
@@ -4,21 +4,21 @@ setsebool \- set SELinux boolean value
 
 .SH "SYNOPSIS"
 .B setsebool
-.I "[ -PN ] boolean value | bool1=val1 bool2=val2 ..."
+.I "[ \-PN ] boolean value | bool1=val1 bool2=val2 ..."
 
 .SH "DESCRIPTION"
 .B setsebool 
 sets the current state of a particular SELinux boolean or a list of booleans 
 to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it. 
 
-Without the -P option, only the current boolean value is 
+Without the \-P option, only the current boolean value is
 affected; the boot-time default settings 
 are not changed. 
 
-If the -P option is given, all pending values are written to
+If the \-P option is given, all pending values are written to
 the policy file on disk. So they will be persistent across reboots.
 
-If the -N option is given, the policy on disk is not reloaded into the kernel.
+If the \-N option is given, the policy on disk is not reloaded into the kernel.
 
 
 .SH AUTHOR	
-- 
1.8.2.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 14/16] policycoreutils: Fix semange alternative logging code

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

Fix semanage logging code when python-audit is not installed
---
 policycoreutils/semanage/seobject.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
index 85bc37f..236a182 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -89,7 +89,7 @@ except:
 			self.log_list=[]
 
 		def log(self, msg, name = "", sename = "", serole = "", serange = "", oldsename = "", oldserole = "", oldserange = ""):
-			message += " %s name=%s" % (msg, name)
+			message = " %s name=%s" % (msg, name)
 			if sename != "":
 				message += " sename=" + sename
 			if oldsename != "":
-- 
1.8.2.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 15/16] policycoreutils: init_policy() takes no arguments

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

Fix "function declaration isn't a prototype" error when
-Werror=strict-prototypes is set
---
 policycoreutils/sepolicy/policy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policycoreutils/sepolicy/policy.c b/policycoreutils/sepolicy/policy.c
index 4eca22d..e454e75 100644
--- a/policycoreutils/sepolicy/policy.c
+++ b/policycoreutils/sepolicy/policy.c
@@ -87,7 +87,7 @@ static PyMethodDef methods[] = {
 	{NULL, NULL, 0, NULL}	/* sentinel */
 };
 
-void init_policy() {
+void init_policy(void) {
 PyObject *m;
 m = Py_InitModule("_policy", methods);
 init_info(m);
-- 
1.8.2.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 16/16] policycoreutils: Do not include LDFLAGS in CFLAGS when building sepolicy

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

For some reasons, -fpie and -fPIE are being set in LDFLAGS, this is
causing a FTBFS on Debian.

-fpie and -fPIE are anyway useless for libraries
---
 policycoreutils/sepolicy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile
index 11b534f..47f00da 100644
--- a/policycoreutils/sepolicy/Makefile
+++ b/policycoreutils/sepolicy/Makefile
@@ -9,7 +9,7 @@ LOCALEDIR ?= /usr/share/locale
 PYTHON ?= /usr/bin/python
 BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
 SHAREDIR ?= $(PREFIX)/share/sandbox
-override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W  -DSHARED -shared
+override CFLAGS = -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W  -DSHARED -shared
 
 BASHCOMPLETIONS=sepolicy-bash-completion.sh 
 
-- 
1.8.2.1


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 16/16] policycoreutils: Do not include LDFLAGS in CFLAGS when building sepolicy

[Stephen Smalley]

On 05/10/2013 08:45 AM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
> 
> For some reasons, -fpie and -fPIE are being set in LDFLAGS, this is
> causing a FTBFS on Debian.
> 
> -fpie and -fPIE are anyway useless for libraries

Thanks, all 16 patches applied.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 06/16] libsemanage: Also check for the uppoer bound on user ids in login.defs

[Stephen Smalley]

On 05/10/2013 08:45 AM, Laurent Bigonville wrote:
> From: Manoj Srivastava <srivasta@debian.org>
> 
> Some non-Debian packages (like qmail, shudder) create
> users not below MIN_UID, but above MAX_UID, in /etc/login.defs
> (non-system users are supposed to have uids between MIN_UID and
> MAX_UID.
> 
> genhomedircon.c:gethomedirs() checks pwent.pw_uid against MIN_UID in
> /etc/login.defs to exclude system users from generating homedir
> contexts. But unfortunately it does not check it against MAX_UID
> setting from the same file. This gets us lines like the following in
> the contexts/files/file_contexts.homedirs file:
> ,----
> | #
> | # Home Context for user user_u
> | #
> | /var/qmail/[^/]*/.+ user_u:object_r:user_home_t:s0
> | /var/qmail/[^/]*/\.ssh(/.*)? user_u:object_r:user_home_ssh_t:s0
> | /var/qmail/[^/]*/\.gnupg(/.+)? user_u:object_r:user_gpg_secret_t:s0
> | /var/qmail/[^/]* -d user_u:object_r:user_home_dir_t:s0
> | /var/qmail/lost\+found/.* <<none>>
> | /var/qmail -d system_u:object_r:home_root_t:s0
> | /var/qmail/\.journal <<none>>
> | /var/qmail/lost\+found -d system_u:object_r:lost_found_t:s0
> | /tmp/gconfd-.* -d user_u:object_r:user_tmp_t:s0
> `----
> This commit adds checking uid value againt MAX_UID too.

On this one, I had to apply a change on top to avoid build breakage due
to strict warnings:
genhomedircon.c: In function ‘get_home_dirs’:
genhomedircon.c:287:22: error: variable ‘maxuid_set’ set but not used
[-Werror=unused-but-set-variable]
cc1: all warnings being treated as errors
make[2]: *** [genhomedircon.o] Error 1




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.