* [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups
@ 2020-08-04 1:33 Paul Moore
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 01/18] build: explicitly enable pandoc pipe_tables Paul Moore
` (17 more replies)
0 siblings, 18 replies; 24+ messages in thread
From: Paul Moore @ 2020-08-04 1:33 UTC (permalink / raw)
To: selinux
This patchset helps to get us a little closer to finishing the work
of converting The SELinux Notebook to markdown. I believe this is
a worthwhile goal for two main reasons: it makes the raw markdown
much easier to read (the HTML tables are painful in source form),
and it makes it easier to render the markdown into different formats
(currently HTML and PDF).
My original goal for this patchset was to complete the markdown
conversion before posting the series, but I now realize that was
neither a practical or good idea. While this patchset may miss my
original goal, I do believe it is a step forward both in terms of the
raw markdown and the rendered formats, and I would suggest we merge
these changes assuming no strong objections.
For those who want to quickly check the markdown on GitHub or the
rendered HTML and PDF formats, I've included the links below:
* https://drop.paul-moore.com/21.HGW6/SELinux_Notebook.pdf
* https://drop.paul-moore.com/21.HGW6/SELinux_Notebook.html
* https://github.com/pcmoore/misc-selinux_notebook/tree/working-md_full
---
Paul Moore (16):
build: explicitly enable pandoc pipe_tables
css: identify table layout hacks
css: style improvements
x_windows: fully convert to markdown
xperm_rules: fully convert to markdown
xen_statements: fully convert to markdown
vm_support: fully convert to markdown
user_statements: fully convert to markdown
userspace_libraries: fully convert to markdown
type_statements: fully convert to markdown
all: remove all the <br> tags we haven't gotten to yet
all: unify example formatting (scripts, code, policy, etc) in markdown
all: don't use "`" for formatting text, use "*" instead
all: consolidate multiple blank lines into one
kernel_policy_language: convert the footnotes to markdown
title: assorted updates
Richard Haines (2):
postgresql: update PostgreSQL SELinux Support section
x_windows: don't call table 12 a table
src/apache_support.md | 53 +--
src/auditing.md | 36 +-
src/avc_rules.md | 48 +--
src/bounds_rules.md | 18 +-
src/cil_overview.md | 43 +-
src/class_permission_statements.md | 44 +-
src/computing_access_decisions.md | 2 -
src/computing_security_contexts.md | 224 +++++-----
src/conditional_statements.md | 36 +-
src/configuration_files.md | 10 +-
src/constraint_statements.md | 52 +--
src/core_components.md | 10 -
src/debug_policy_hints.md | 5 -
src/default_rules.md | 40 +-
src/domain_object_transitions.md | 138 +++---
src/file_labeling_statements.md | 58 ++-
src/global_config_files.md | 16 +-
src/images/24-database-table.png | Bin 44747 -> 0 bytes
src/implementing_seaware_apps.md | 28 +-
src/infiniband_statements.md | 36 +-
src/kernel_policy_language.md | 59 ++-
src/libselinux_functions.md | 4 +-
src/lsm_selinux.md | 161 ++++---
src/mac.md | 5 -
src/mls_mcs.md | 45 +-
src/mls_statements.md | 84 ++--
src/modes.md | 7 +-
src/modular_policy_statements.md | 28 +-
src/network_statements.md | 80 ++--
src/network_support.md | 78 ++--
src/object_classes_permissions.md | 255 +++++------
src/objects.md | 40 +-
src/pam_login.md | 7 +-
src/policy_config_files.md | 182 ++++----
src/policy_config_statements.md | 10 +-
src/policy_languages.md | 2 -
src/policy_store_config_files.md | 137 +++---
src/policy_validation_example.md | 14 +-
src/polyinstantiation.md | 31 +-
src/postgresql.md | 145 +++----
src/rbac.md | 9 +-
src/reference_policy.md | 321 ++++++--------
src/role_statements.md | 82 ++--
src/seandroid.md | 91 ++--
src/security_context.md | 10 +-
src/selinux_cmds.md | 3 -
src/selinux_overview.md | 4 -
src/sid_statement.md | 24 +-
src/styles_html.css | 16 +-
src/styles_pdf.css | 24 +-
src/subjects.md | 7 +-
src/terminology.md | 5 -
src/title.md | 16 +-
src/toc.md | 4 +-
src/type_enforcement.md | 55 ++-
src/type_statements.md | 672 ++++++++++++-----------------
src/types_of_policy.md | 31 +-
src/user_statements.md | 121 +++---
src/users.md | 15 +-
src/userspace_libraries.md | 169 ++++----
src/vm_support.md | 147 ++-----
src/x_windows.md | 374 ++++++++--------
src/xen_statements.md | 370 ++++++----------
src/xperm_rules.md | 146 +++----
64 files changed, 2157 insertions(+), 2830 deletions(-)
delete mode 100644 src/images/24-database-table.png
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 24+ messages in thread
* [RFC,selinux-notebook PATCH 01/18] build: explicitly enable pandoc pipe_tables
2020-08-04 1:33 [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Paul Moore
@ 2020-08-04 1:33 ` Paul Moore
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 02/18] css: identify table layout hacks Paul Moore
` (16 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Paul Moore @ 2020-08-04 1:33 UTC (permalink / raw)
To: selinux
As of July 2020 GitHub Markdown supports pipe tables.
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
Makefile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 9bd0ffa..f41bb16 100644
--- a/Makefile
+++ b/Makefile
@@ -16,7 +16,8 @@ PDF_OUT = SELinux_Notebook.pdf
SED = sed
PANDOC = pandoc
-PANDOC_OPTS=-V mainfont='DejaVu Serif' -V monofont='DejaVu Sans Mono'
+PANDOC_OPTS = --from markdown+pipe_tables
+PANDOC_OPTS += -V mainfont='DejaVu Serif' -V monofont='DejaVu Sans Mono'
# the individual section files, in order
FILE_LIST = $(shell cat src/section_list.txt)
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [RFC,selinux-notebook PATCH 02/18] css: identify table layout hacks
2020-08-04 1:33 [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Paul Moore
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 01/18] build: explicitly enable pandoc pipe_tables Paul Moore
@ 2020-08-04 1:33 ` Paul Moore
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 03/18] css: style improvements Paul Moore
` (15 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Paul Moore @ 2020-08-04 1:33 UTC (permalink / raw)
To: selinux
Better identify, and tweak, some of the table layout hacks so that
we know to revisit them later once we have fully converted to
markdown.
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
src/styles_html.css | 1 -
src/styles_pdf.css | 6 +++++-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/styles_html.css b/src/styles_html.css
index ea3f7ee..887051c 100644
--- a/src/styles_html.css
+++ b/src/styles_html.css
@@ -21,7 +21,6 @@ table {
}
table tr, th, td {
border: 1px solid black;
- word-wrap: break-word;
}
img {
diff --git a/src/styles_pdf.css b/src/styles_pdf.css
index 48da310..5fa9d02 100644
--- a/src/styles_pdf.css
+++ b/src/styles_pdf.css
@@ -62,12 +62,16 @@ table {
margin-left: auto;
margin-right: auto;
width: 95%;
- table-layout: fixed;
/* combine table borders when they are adjacent */
border-collapse: collapse;
+ /* TODO: once we finish the HTML->Markdown conversion we should
+ * revaluate the 'table-layout: fixed' hack below */
+ table-layout: fixed;
}
table tr, th, td {
border: 1px solid black;
+ /* TODO: once we finish the HTML->Markdown conversion we should
+ * revaluate the 'word-wrap: break-word' hack below */
word-wrap: break-word;
}
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [RFC,selinux-notebook PATCH 03/18] css: style improvements
2020-08-04 1:33 [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Paul Moore
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 01/18] build: explicitly enable pandoc pipe_tables Paul Moore
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 02/18] css: identify table layout hacks Paul Moore
@ 2020-08-04 1:33 ` Paul Moore
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 04/18] x_windows: fully convert to markdown Paul Moore
` (14 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Paul Moore @ 2020-08-04 1:33 UTC (permalink / raw)
To: selinux
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
src/styles_html.css | 15 ++++++++++++++-
src/styles_pdf.css | 18 +++++++++++++++++-
2 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/src/styles_html.css b/src/styles_html.css
index 887051c..fef851e 100644
--- a/src/styles_html.css
+++ b/src/styles_html.css
@@ -15,11 +15,18 @@ a {
table {
/* limit to 95% page width */
+ min-width: 50%;
max-width: 95%;
/* combine table borders when they are adjacent */
border-collapse: collapse;
}
-table tr, th, td {
+table th {
+ padding: 0.5em;
+ border: 1px solid black;
+ background-color: #d3d3d3;
+}
+table tr, td {
+ padding: 0.5em;
border: 1px solid black;
}
@@ -30,3 +37,9 @@ img {
margin-right: auto;
max-width: 95%;
}
+
+pre {
+ width: 95%;
+ padding: 1em;
+ background-color: #f5f5f5;
+}
diff --git a/src/styles_pdf.css b/src/styles_pdf.css
index 5fa9d02..f0bba23 100644
--- a/src/styles_pdf.css
+++ b/src/styles_pdf.css
@@ -68,7 +68,16 @@ table {
* revaluate the 'table-layout: fixed' hack below */
table-layout: fixed;
}
-table tr, th, td {
+table th {
+ padding: 0.5em;
+ border: 1px solid black;
+ background-color: #d3d3d3;
+ /* TODO: once we finish the HTML->Markdown conversion we should
+ * revaluate the 'word-wrap: break-word' hack below */
+ word-wrap: break-word;
+}
+table tr, td {
+ padding: 0.5em;
border: 1px solid black;
/* TODO: once we finish the HTML->Markdown conversion we should
* revaluate the 'word-wrap: break-word' hack below */
@@ -82,3 +91,10 @@ img {
margin-right: auto;
max-width: 95%;
}
+
+pre {
+ /* force/limit to 95% page width */
+ width: 95%;
+ padding: 1em;
+ background-color: #f5f5f5;
+}
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [RFC,selinux-notebook PATCH 04/18] x_windows: fully convert to markdown
2020-08-04 1:33 [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Paul Moore
` (2 preceding siblings ...)
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 03/18] css: style improvements Paul Moore
@ 2020-08-04 1:33 ` Paul Moore
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 05/18] xperm_rules: " Paul Moore
` (13 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Paul Moore @ 2020-08-04 1:33 UTC (permalink / raw)
To: selinux
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
src/x_windows.md | 330 +++++++++++++++++++++++++++---------------------------
1 file changed, 163 insertions(+), 167 deletions(-)
diff --git a/src/x_windows.md b/src/x_windows.md
index e2625f7..86f966e 100644
--- a/src/x_windows.md
+++ b/src/x_windows.md
@@ -68,7 +68,8 @@ time, then the X-function will only succeed if allowed by all the
security extensions in the chain.
This interface is defined in the
-"[**X Access Control Extension Specification**](http://www.x.org/releases/X11R7.5/doc/security/XACE-Spec.pdf)". The specification also defines the hooks available to OMs and
+"[**X Access Control Extension Specification**](http://www.x.org/releases/X11R7.5/doc/security/XACE-Spec.pdf)".
+The specification also defines the hooks available to OMs and
how they should be used. The provision of polyinstantiation services for
properties and selections is also discussed. The XACE interface is a
similar service to the LSM that supports the kernel OMs.
@@ -85,8 +86,6 @@ managers such as Gnome, twm or KDE.
[**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux)
section.
-<br>
-
## Polyinstantiation
The OM / XACE services support polyinstantiation of properties and
@@ -104,8 +103,6 @@ polyinstantiation, instead the MLS policy uses
[**`mlsconstrain`**](constraint_statements.md#mlsconstrain) to limit the scope
of properties and selections.
-<br>
-
## Configuration Information
This section covers:
@@ -234,167 +231,169 @@ client * system_u:object_r:remote_t:s0
A full description of the *x_contexts* file format is given in the
[***x_contexts***](policy_config_files.md#contextsx_contexts) section.
-<br>
-
## SELinux Extension Functions
-<table>
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Function Name</strong></td>
-<td><strong>Minor Parameters</strong></td>
-<td><strong>Opcode</strong></td>
-<td><strong>Comments</strong></td>
-</tr>
-<tr>
-<td>XSELinuxQueryVersion</td>
-<td>0</td>
-<td>None</td>
-<td>Returns the XSELinux version. Fedora returns 1.1</td>
-</tr>
-<tr>
-<td>XSELinuxSetDeviceCreateContext</td>
-<td>1</td>
-<td>Context+Len</td>
-<td>Sets the context for creating a device object (<em>x_device</em>).</td>
-</tr>
-<tr>
-<td>XSELinuxGetDeviceCreateContext</td>
-<td>2</td>
-<td>None</td>
-<td>Retrieves the context set by <em>XSELinuxSetDeviceCreateContext</em>.</td>
-</tr>
-<tr>
-<td>XSELinuxSetDeviceContext</td>
-<td>3</td>
-<td>DeviceID + Context+Len</td>
-<td>Sets the context for creating the specified DeviceID object.</td>
-</tr>
-<tr>
-<td>XSELinuxGetDeviceContext</td>
-<td>4</td>
-<td>DeviceID</td>
-<td>Retrieves the context set by <em>XSELinuxSetDeviceContext</em>.</td>
-</tr>
-<tr>
-<td>XSELinuxSetWindowCreateContext</td>
-<td>5</td>
-<td>Context+Len</td>
-<td>Set the context for creating a window object (<em>x_window</em>).</td>
-</tr>
-<tr>
-<td>XSELinuxGetWindowCreateContext</td>
-<td>6</td>
-<td>None</td>
-<td>Retrieves the context set by <em>XSELinuxSetWindowCreateContext</em>.</td>
-</tr>
-<tr>
-<td>XSELinuxGetWindowContext</td>
-<td>7</td>
-<td>WindowID</td>
-<td>Retrieves the specified WindowID context.</td>
-</tr>
-<tr>
-<td>XSELinuxSetPropertyCreateContext</td>
-<td>8</td>
-<td>Context + Len</td>
-<td>Sets the context for creating a property object (<em>x_property</em>).</td>
-</tr>
-<tr>
-<td>XSELinuxGetPropertyCreateContext</td>
-<td>9</td>
-<td>None</td>
-<td>Retrieves the context set by <em>XSELinuxSetPropertyCreateContext</em>.</td>
-</tr>
-<tr>
-<td>XSELinuxSetPropertyUseContext</td>
-<td>10</td>
-<td>Context + Len</td>
-<td>Sets the context of the property object to be retrieved when polyinstantiation is being used.</td>
-</tr>
-<tr>
-<td>XSELinuxGetPropertyUseContext</td>
-<td>11</td>
-<td>None</td>
-<td>Retrieves the property object context set by <em>SELinuxSetPropertyUseContext</em>.</td>
-</tr>
-<tr>
-<td>XSELinuxGetPropertyContext</td>
-<td>12</td>
-<td>WindowID + AtomID</td>
-<td>Retrieves the context of the property atom object.</td>
-</tr>
-<tr>
-<td>XSELinuxGetPropertyDataContext</td>
-<td>13</td>
-<td>WindowID + AtomID</td>
-<td>Retrieves the context of the property atom data. </td>
-</tr>
-<tr>
-<td>XSELinuxListProperties</td>
-<td>14</td>
-<td>WindowID</td>
-<td>Lists the object and data contexts of properties associated with the selected WindowID.</td>
-</tr>
-<tr>
-<td>XSELinuxSetSelectionCreateContext</td>
-<td>15</td>
-<td>Context+Len</td>
-<td>Sets the context to be used for creating a selection object.</td>
-</tr>
-<tr>
-<td>XSELinuxGetSelectionCreateContext</td>
-<td>16</td>
-<td>None</td>
-<td>Retrieves the context set by <em>SELinuxSetSelectionCreateContext</em>.</td>
-</tr>
-<tr>
-<td>XSELinuxSetSelectionUseContext</td>
-<td>17</td>
-<td>Context+Len</td>
-<td>Sets the context of the selection object to be retrieved when polyinstantiation is being used. See the <em>XSELinuxListSelections</em> function for an example.</td>
-</tr>
-<tr>
-<td>XSELinuxGetSelectionUseContext</td>
-<td>18</td>
-<td>None</td>
-<td>Retrieves the selection object context set by <em>SELinuxSetSelectionUseContext</em>.</td>
-</tr>
-<tr>
-<td>XSELinuxGetSelectionContext</td>
-<td>19</td>
-<td>AtomID</td>
-<td>Retrieves the context of the specified selection atom object.</td>
-</tr>
-<tr>
-<td>XSELinuxGetSelectionDataContext</td>
-<td>20</td>
-<td>AtomID</td>
-<td>Retrieves the context of the selection data from the current selection owner (<em>x_application_data</em> object).</td>
-</tr>
-<tr>
-<td>XSELinuxListSelections</td>
-<td>21</td>
-<td>None</td>
-<td><p>Lists the selection atom object and data contexts associated with this display. The main difference in the listings is that when (for example) the <em>PRIMARY</em> selection atom is polyinstantiated, multiple entries can returned. One has the context of the atom itself, and one entry for each process (or x-client) that has an active polyinstantiated entry, for example:</p>
-<p>Atom: PRIMARY - label defined in the<em> x_contexts</em> file (this is also for non-poly listing):</p>
-<p>Object Context: system_u:object_r:primary_xselection_t</p>
-<p>Data Context: system_u:object_r:primary_xselection_t</p>
-<p>Atom: PRIMARY - Labels for client 1:</p>
-<p>Object Context: system_u:object_r:x_select_paste1_t</p>
-<p>Data Context: system_u:object_r:x_select_paste1_t</p>
-<p>Atom: PRIMARY - Labels for client 2:</p>
-<p>Object Context: system_u:object_r:x_select_paste2_t</p>
-<p>Data Context: system_u:object_r:x_select_paste2_t</p></td>
-</tr>
-<tr>
-<td><em><em>XSELinuxGetClientContext</em></em></td>
-<td><em><em>22</em></em></td>
-<td><em><em>ResourceID</em></em></td>
-<td><em><em>Retrieves the client context of the specified ResourceID.</em></em></td>
-</tr>
-</tbody>
-</table>
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxQueryVersion | 0 | None |
+
+Returns the XSELinux version. Fedora returns 1.1.
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxSetDeviceCreateContext | 1 | Context + Len |
+
+Sets the context for creating a device object (*x_device*).
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxGetDeviceCreateContext | 2 | None |
+
+Retrieves the context set by *XSELinuxSetDeviceCreateContext*.
+
+| Function Name | Minor Parameter | Opcode |
+| ------------------------------- | --------------- | ------------------------ |
+| XSELinuxSetDeviceContext | 3 | DeviceID + Context + Len |
+
+Sets the context for creating the specified DeviceID object.
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxGetDeviceContext | 4 | DeviceID |
+
+Retrieves the context set by *XSELinuxSetDeviceContext*.
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxSetWindowCreateContext | 5 | Context + Len |
+
+Set the context for creating a window object (*x_window*).
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxGetWindowCreateContext | 6 | None |
+
+Retrieves the context set by *XSELinuxSetWindowCreateContext*.
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxGetWindowContext | 7 | WindowID |
+
+Retrieves the specified WindowID context.
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxSetPropertyCreateContext | 8 | Context |
+
+Sets the context for creating a property object (*x_property*).
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxGetPropertyCreateContext | 9 | None |
+
+Retrieves the context set by *XSELinuxSetPropertyCreateContext*.
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxSetPropertyUseContext | 10 | Context + Len |
+
+Sets the context of the property object to be retrieved when polyinstantiation
+is being used.
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxGetPropertyUseContext | 11 | None |
+
+Retrieves the property object context set by *SELinuxSetPropertyUseContext*.
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxGetPropertyContext | 12 | WindowID + AtomID |
+
+Retrieves the context of the property atom object.
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxGetPropertyDataContext | 13 | WindowID + AtomID |
+
+Retrieves the context of the property atom data.
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxListProperties | 14 | WindowID |
+
+Lists the object and data contexts of properties associated with the selected
+WindowID.
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxSetSelectionCreateContext | 15 | Context + Len |
+
+Sets the context to be used for creating a selection object.
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxGetSelectionCreateContext | 16 | None |
+
+Retrieves the context set by *SELinuxSetSelectionCreateContext*.
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxSetSelectionUseContext | 17 | Context + Len |
+
+Sets the context of the selection object to be retrieved when polyinstantiation
+is being used. See the *XSELinuxListSelections* function for an example.
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxGetSelectionUseContext | 18 | None |
+
+Retrieves the selection object context set by *SELinuxSetSelectionUseContext*.
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxGetSelectionContext | 19 | AtomID |
+
+Retrieves the context of the specified selection atom object.
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxGetSelectionDataContext | 20 | AtomID |
+
+Retrieves the context of the selection data from the current selection owner
+(*x_application_data* object).
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxListSelections | 21 | None |
+
+Lists the selection atom object and data contexts associated with this display.
+The main difference in the listings is that when (for example) the *PRIMARY*
+selection atom is polyinstantiated, multiple entries can returned. One has the
+context of the atom itself, and one entry for each process (or x-client) that
+has an active polyinstantiated entry, for example:
+
+Atom: PRIMARY - label defined in the *x_contexts* file (this is also for
+non-poly listing):
+
+- Object Context: *system_u:object_r:primary_xselection_t*
+- Data Context: *system_u:object_r:primary_xselection_t*
+
+Atom: PRIMARY - Labels for client 1:
+
+- Object Context: *system_u:object_r:x_select_paste1_t*
+- Data Context: *system_u:object_r:x_select_paste1_t*
+
+Atom: PRIMARY - Labels for client 2:
+
+- Object Context: *system_u:object_r:x_select_paste2_t*
+- Data Context: *system_u:object_r:x_select_paste2_t*
+
+| Function Name | Minor Parameters | Opcode |
+| --------------------------------- | ---------------- | --------------------- |
+| XSELinuxGetClientContext | 22 | ResourceID |
+
+Retrieves the client context of the specified ResourceID.
**Table 12: The XSELinux Extension Functions** - *Supported by the object
manager as X-protocol extensions. Note that some functions will return
@@ -402,9 +401,6 @@ the default contexts, while others (2, 6, 9, 11, 16, 18) will not return
a value unless one has been set the the appropriate function (1, 5, 8,
10, 15, 17) by an SELinux-aware application.*
-
-<br>
-
<!-- %CUTHERE% -->
---
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [RFC,selinux-notebook PATCH 05/18] xperm_rules: fully convert to markdown
2020-08-04 1:33 [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Paul Moore
` (3 preceding siblings ...)
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 04/18] x_windows: fully convert to markdown Paul Moore
@ 2020-08-04 1:33 ` Paul Moore
2020-08-04 16:14 ` Richard Haines
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 06/18] xen_statements: " Paul Moore
` (12 subsequent siblings)
17 siblings, 1 reply; 24+ messages in thread
From: Paul Moore @ 2020-08-04 1:33 UTC (permalink / raw)
To: selinux
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
src/xperm_rules.md | 138 ++++++++++++++++++++++++----------------------------
1 file changed, 64 insertions(+), 74 deletions(-)
diff --git a/src/xperm_rules.md b/src/xperm_rules.md
index 48beb41..21878ea 100644
--- a/src/xperm_rules.md
+++ b/src/xperm_rules.md
@@ -2,8 +2,8 @@
There are three extended AV rules implemented from Policy version 30
with the target platform 'selinux' that expand the permission sets from
-a fixed 32 bits to permission sets in 256 bit increments: `allowxperm`,
-`dontauditxperm`, `auditallowxperm` and `neverallowxperm`.
+a fixed 32 bits to permission sets in 256 bit increments: *allowxperm*,
+*dontauditxperm*, *auditallowxperm* and *neverallowxperm*.
The rules for extended permissions are subject to the 'operation' they
perform with Policy version 30 and kernels from 4.3 supporting ioctl
@@ -16,66 +16,59 @@ libsepol 2.7 minimum is required).
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>rule_name</code></td>
-<td>The applicable <code>allowxperm</code>, <code>dontauditxperm</code>, <code>auditallowxperm</code> or <code>neverallowxperm</code> rule keyword.</td>
-</tr>
-<tr>
-<td><p><code>source_type</code></p>
-<p><code>target_type</code></p></td>
-<td><p>One or more source / target <code>type</code>, <code>typealias</code> or <code>attribute</code> identifiers. Multiple entries consist of a space separated list enclosed in braces '{}'. Entries can be excluded from the list by using the negative operator '-'.</p>
-<p>The target_type can have the <code>self</code> keyword instead of <code>type</code>, <code>typealias</code> or <code>attribute</code> identifiers. This means that the <code>target_type</code> is the same as the <code>source_type</code>.</p></td>
-</tr>
-<tr>
-<td><code>class</code></td>
-<td>One or more object classes. Multiple entries consist of a space separated list enclosed in braces '{}'.</td>
-</tr>
-<tr>
-<td><code>operation<code></td>
-<td>A key word defining the operation to be implemented by the rule. Currently only the <code>ioctl</code> operation is supported by the kernel policy language and kernel as described in the <a href="#ioctl-operation-rules"><code>ioctl</code> Operation Rules</a> section.</td>
-</tr>
-<tr>
-<td><code>xperm_set</code></td>
-<td><p>One or more extended permissions represented by numeric values (i.e. <code>0x8900</code> or <code>35072</code>). The usage is dependent on the specified <em>operation</em>.</p>
-<p>Multiple entries consist of a space separated list enclosed in braces '{}'.</p>
-<p>The complement operator '~' is used to specify all permissions except those explicitly listed.</p>
-<p>The range operator '-' is used to specify all permissions within the <code>low – high</code> range.</p>
-<p>An example is shown in the <a href="#ioctl-operation-rules"><code>ioctl</code> Operation Rules</a> section.</p></td>
-</tr>
-</tbody>
-</table>
+*rule_name*
+
+The applicable *allowxperm*, *dontauditxperm*, *auditallowxperm*
+or *neverallowxperm* rule keyword.
+
+*source_type*
+
+One or more source / target *type*, *typealias* or *attribute* identifiers.
+Multiple entries consist of a space separated list enclosed in braces \'{}\'.
+Entries can be excluded from the list by using the negative operator \'-\'.
+
+*target_type*
+
+The target_type can have the *self* keyword instead of *type*, *typealias* or
+*attribute* identifiers. This means that the *target_type* is the same as the
+*source_type*.
+
+*class*
+
+One or more object classes. Multiple entries consist of a space separated list
+enclosed in braces \'{}\'.
+
+*operation*
+
+A key word defining the operation to be implemented by the rule. Currently only
+the *ioctl* operation is supported by the kernel policy language and kernel as
+described in the [*ioctl* Operation Rules](#ioctl-operation-rules) section.
+
+*xperm_set*
+
+One or more extended permissions represented by numeric values (i.e. *0x8900*
+or *35072*). The usage is dependent on the specified *operation*. Multiple
+entries consist of a space separated list enclosed in braces \'{}\'. The
+complement operator \'\~\' is used to specify all permissions except those
+explicitly listed. The range operator \'-\' is used to specify all permissions
+within the *low – high* range. An example is shown in the
+[*ioctl* Operation Rules](#ioctl-operation-rules) section.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
-<br>
-
-### `ioctl` Operation Rules
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | Yes |
+
+Conditional Policy Statements
+
+| *if* statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | No | No |
+
+### *ioctl* Operation Rules
Use cases and implementation details for ioctl command whitelisting are
described in detail at
@@ -85,14 +78,14 @@ policy format changes shown in the example below with a brief overview
the final upstream kernel patch).
Ioctl calls are generally used to get or set device options. Policy
-versions < 30 only controls whether an `ioctl` permission is allowed
-or not, for example this rule allows the object class `tcp_socket` the
-`ioctl` permission:
+versions < 30 only controls whether an *ioctl* permission is allowed
+or not, for example this rule allows the object class *tcp_socket* the
+*ioctl* permission:
`allow src_t tgt_t : tcp_socket ioctl;`
From Policy version 30 it is possible to control ***ioctl**(2)*
-'*request*' parameters provided the `ioctl` permission is also allowed,
+'*request*' parameters provided the *ioctl* permission is also allowed,
for example:
```
@@ -101,14 +94,14 @@ allow src_t tgt_t : tcp_socket ioctl;
allowxperm src_t tgt_t : tcp_socket ioctl ~0x8927;
```
-The `allowxperm` rule states that all ioctl request parameters are
+The *allowxperm* rule states that all ioctl request parameters are
allowed for the source/target/class with the exception of the value
-`0x8927` that (using *include/linux/sockios.h*) is **SIOCGIFHWADDR**, or
+*0x8927* that (using *include/linux/sockios.h*) is **SIOCGIFHWADDR**, or
'get hardware address'.
An example audit log entry denying an ioctl request to add a routing
-table entry (**SIOCADDRT** - `ioctlcmd=890b`) for *goldfish_setup* on a
-`udp_socket` is:
+table entry (**SIOCADDRT** - *ioctlcmd=890b*) for *goldfish_setup* on a
+*udp_socket* is:
```
type=1400 audit(1437408413.860:6): avc: denied { ioctl } for pid=81
@@ -121,18 +114,15 @@ Notes:
1. Important: The ioctl operation is not 'deny all' ioctl requests
(hence whitelisting). It is targeted at the specific
- source/target/class set of ioctl commands. As no other `allowxperm`
+ source/target/class set of ioctl commands. As no other *allowxperm*
rules have been defined in the example, all other ioctl calls may
continue to use any valid request parameters (provided there are
- `allow` rules for the `ioctl` permission).
+ *allow* rules for the *ioctl* permission).
2. As the ***ioctl**(2)* function requires a file descriptor, its
- context must match the process context otherwise the `fd { use }`
+ context must match the process context otherwise the *fd { use }*
class/permission is required.
3. To deny all ioctl requests for a specific source/target/class the
- `xperm_set` should be set to `0` or `0x0`.
-
-
-<br>
+ *xperm_set* should be set to *0* or *0x0*.
<!-- %CUTHERE% -->
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [RFC,selinux-notebook PATCH 06/18] xen_statements: fully convert to markdown
2020-08-04 1:33 [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Paul Moore
` (4 preceding siblings ...)
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 05/18] xperm_rules: " Paul Moore
@ 2020-08-04 1:33 ` Paul Moore
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 07/18] vm_support: " Paul Moore
` (11 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Paul Moore @ 2020-08-04 1:33 UTC (permalink / raw)
To: selinux
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
src/xen_statements.md | 340 +++++++++++++++++--------------------------------
1 file changed, 119 insertions(+), 221 deletions(-)
diff --git a/src/xen_statements.md b/src/xen_statements.md
index ce968de..5688893 100644
--- a/src/xen_statements.md
+++ b/src/xen_statements.md
@@ -1,12 +1,12 @@
# Xen Statements
-Xen policy supports additional policy language statements: `iomemcon`,
-`ioportcon`, `pcidevicecon`, `pirqcon` and `devicetreecon` that are
+Xen policy supports additional policy language statements: *iomemcon*,
+*ioportcon*, *pcidevicecon*, *pirqcon* and *devicetreecon* that are
discussed in the sections that follow, also the
[**XSM/FLASK Configuration**](http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt)
document contains further information.
-Policy version 30 introduced the `devicetreecon` statement and also
+Policy version 30 introduced the *devicetreecon* statement and also
expanded the existing I/O memory range to 64 bits in order to support
hardware with more than 44 bits of physical address space (32-bit count
of 4K pages).
@@ -14,9 +14,7 @@ of 4K pages).
To compile these additional statements using ***semodule**(8)*, ensure
that the ***semanage.conf**(5)* file has the *policy-target=xen* entry.
-<br>
-
-## `iomemcon`
+## *iomemcon*
Label i/o memory. This may be a single memory location or a range.
@@ -26,50 +24,32 @@ Label i/o memory. This may be a single memory location or a range.
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>iomemcon</code></td>
-<td>The <code>iomemcon</code> keyword.</td>
-</tr>
-<tr>
-<td><code>addr</code></td>
-<td>The memory address to apply the context. This may also be a range that consists of a start and end address separated by a hypen '-'.</td>
-</tr>
-<tr>
-<td><code>context</code></td>
-<td>The security context to be applied.</td>
-</tr>
-</tbody>
-</table>
+*iomemcon*
+
+The *iomemcon* keyword.
+
+*addr*
+The memory address to apply the context. This may also be a range that consists
+of a start and end address separated by a hypen \'-\'.
+
+*context*
+
+The security context to be applied.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | No |
+
+Conditional Policy Statements
+
+| *if* statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | No | No |
**Examples:**
@@ -78,9 +58,7 @@ iomemcon 0xfebd9 system_u:object_r:nicP_t
iomemcon 0xfebe0-0xfebff system_u:object_r:nicP_t
```
-<br>
-
-## `ioportcon`
+## *ioportcon*
Label i/o ports. This may be a single port or a range.
@@ -90,49 +68,32 @@ Label i/o ports. This may be a single port or a range.
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>ioportcon</code></td>
-<td>The <code>ioportcon</code> keyword.</td>
-</tr>
-<tr>
-<td><code>port</code></td>
-<td>The <code>port</code> to apply the context. This may also be a range that consists of a start and end port number separated by a hypen '-'.</td>
-</tr>
-<tr>
-<td><code>context</code></td>
-<td>The security context to be applied.</td>
-</tr>
-</tbody>
-</table>
+*ioportcon*
+
+The *ioportcon* keyword.
+
+*port*
+
+The *port* to apply the context. This may also be a range that consists of a
+start and end port number separated by a hypen \'-\'.
+
+*context*
+
+The security context to be applied.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | No |
+
+Conditional Policy Statements
+
+| *if* statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | No | No |
**Examples:**
@@ -141,9 +102,7 @@ ioportcon 0xeac0 system_u:object_r:nicP_t
ioportcon 0xecc0-0xecdf system_u:object_r:nicP_t
```
-<br>
-
-## `pcidevicecon`
+## *pcidevicecon*
Label a PCI device.
@@ -153,57 +112,37 @@ Label a PCI device.
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>pcidevicecon</code></td>
-<td>The <code>pcidevicecon</code> keyword.</td>
-</tr>
-<tr>
-<td><code>pci_id</code></td>
-<td>The PCI indentifer.</td>
-</tr>
-<tr>
-<td><code>context</code></td>
-<td>The security context to be applied.</td>
-</tr>
-</tbody>
-</table>
+*pcidevicecon*
+
+The *pcidevicecon* keyword.
+
+*pci_id*
+
+The PCI indentifer.
+
+*context*
+
+The security context to be applied.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | No |
+
+Conditional Policy Statements
+
+| *if* statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | No | No |
**Example:**
`pcidevicecon 0xc800 system_u:object_r:nicP_t`
-<br>
-
-## `pirqcon`
+## *pirqcon*
Label an interrupt level.
@@ -213,57 +152,37 @@ Label an interrupt level.
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>pirqcon</code></td>
-<td>The <code>pirqcon</code> keyword.</td>
-</tr>
-<tr>
-<td><code>irq</code></td>
-<td>The interrupt request number.</td>
-</tr>
-<tr>
-<td><code>context</code></td>
-<td>The security context to be applied.</td>
-</tr>
-</tbody>
-</table>
+*pirqcon*
+
+The *pirqcon* keyword.
+
+*irq*
+
+The interrupt request number.
+
+*context*
+
+The security context to be applied.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | No |
+
+Conditional Policy Statements
+
+| *if* statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | No | No |
**Example:**
`pirqcon 33 system_u:object_r:nicP_t`
-<br>
-
-## `devicetreecon`
+## *devicetreecon*
Label device tree nodes.
@@ -273,57 +192,36 @@ Label device tree nodes.
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>devicetreecon</code></td>
-<td>The <code>devicetreecon</code> keyword.</td>
-</tr>
-<tr>
-<td><code>path</code></td>
-<td>The device tree path. If this contains spaces enclose within <em>""</em> as shown in the example.</td>
-</tr>
-<tr>
-<td><code>context</code></td>
-<td>The security context to be applied.</td>
-</tr>
-</tbody>
-</table>
+*devicetreecon*
+
+The *devicetreecon* keyword.
+
+*path*
+
+The device tree path. If this contains spaces enclose within *""* as shown in
+the example.
+
+*context*
+
+The security context to be applied.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | No |
-**Example:**
+Conditional Policy Statements
-`devicetreecon "/this is/a/path" system_u:object_r:arm_path`
+| *if* statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | No | No |
+**Example:**
-<br>
+`devicetreecon "/this is/a/path" system_u:object_r:arm_path`
<!-- %CUTHERE% -->
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [RFC,selinux-notebook PATCH 07/18] vm_support: fully convert to markdown
2020-08-04 1:33 [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Paul Moore
` (5 preceding siblings ...)
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 06/18] xen_statements: " Paul Moore
@ 2020-08-04 1:34 ` Paul Moore
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 08/18] user_statements: " Paul Moore
` (10 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Paul Moore @ 2020-08-04 1:34 UTC (permalink / raw)
To: selinux
As a warning, the footnotes may not render correctly until all footnotes in
the document have been converted.
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
src/vm_support.md | 135 +++++++++++------------------------------------------
1 file changed, 27 insertions(+), 108 deletions(-)
diff --git a/src/vm_support.md b/src/vm_support.md
index f072fe3..09321ed 100644
--- a/src/vm_support.md
+++ b/src/vm_support.md
@@ -1,10 +1,9 @@
# SELinux Virtual Machine Support
-SELinux support is available in the KVM/QEMU and Xen virtual machine
-(VM) technologies<a href="#fnv1" class="footnote-ref" id="fnvms1"><strong><sup>1</sup></strong></a>
-(that are discussed in the sections that follow, however the package
-documentation should be read for how these products actually work and how they
-are configured.
+SELinux support is available in the KVM/QEMU and Xen virtual machine (VM)
+technologies[^fn_vms_1] that are discussed in the sections that follow, however
+the package documentation should be read for how these products actually work
+and how they are configured.
Currently the main SELinux support for virtualisation is via *libvirt*
that is an open-source virtualisation API used to dynamically load guest
@@ -23,8 +22,6 @@ To ensure all dependencies are installed run:
`dnf install libvirt qemu virt-manager`
-<br>
-
## KVM / QEMU Support
KVM is a kernel loadable module that uses the Linux kernel as a
@@ -51,7 +48,6 @@ configure these and their VM image files.
QEMU provides the hardware emulation services for the guest
operating systems. Note that KVM requires CPU virtualisation support.*
-
## *libvirt* Support
The Svirt project added security hooks into the *libvirt* library that
@@ -65,14 +61,12 @@ that will load and manage the images. The SELinux implementation
supports four methods of labeling VM images, processes and their
resources with support from the Reference Policy *modules/services/virt*
loadable module. To support this labeling, *libvirt* requires an MCS or MLS
-enabled policy as the [**`level`**](security_context.md#security-context)
+enabled policy as the [***level***](security_context.md#security-context)
entry of the security context is used (*user:role:type:level*).
The link <http://libvirt.org/drvqemu.html#securityselinux> has details
regarding the QEMU driver and the SELinux confinement modes it supports.
-<br>
-
## VM Image Labeling
This sections assumes VM images have been generated using the simple
@@ -109,33 +103,12 @@ implemented as follows:
The following example shows two running VM sessions each having
different labels:
-<table>
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>VM Image Name<strong></td>
-<td><strong>Object<strong></td>
-<td><strong>Dynamically assigned security context<strong></td>
-</tr>
-<tr>
-<td rowspan="2"><strong>Dynamic_VM1</strong></td>
-<td><code>process</code></td>
-<td><code>system_u:system_r:svirt_tcg_t:s0:c585,c813</code></td>
-</tr>
-<tr>
-<td><code>file</code></td>
-<td><code>system_u:system_r:svirt_image_t:s0:c585,c813</code></td>
-</tr>
-<tr>
-<td rowspan="2"><strong>Dynamic_VM2</strong></td>
-<td><code>process</code></td>
-<td>s<code>ystem_u:system_r:svirt_tcg_t:s0:c535,c601<code></td>
-</tr>
-<tr>
-<td><code>file</code></td>
-<td><code>system_u:system_r:svirt_image_t:s0:c535,c601</code></td>
-</tr>
-</tbody>
-</table>
+| VM Image | Object | Dynamically assigned security context |
+| ------------| --------- | ------------------------------------------------- |
+| Dynamic_VM1 | *process* | *system_u:system_r:svirt_tcg_t:s0:c585,c813* |
+| | *file* | *system_u:system_r:svirt_image_t:s0:c585,c813* |
+| Dynamic_VM2 | *process* | *system_u:system_r:svirt_tcg_t:s0:c535,c601* |
+| | *file* | *system_u:system_r:svirt_image_t:s0:c535,c601* |
The running image *ls -Z* and *ps -eZ* are as follows, and for
completeness an *ls -Z* is shown when both VMs have been stopped:
@@ -163,8 +136,6 @@ system_u:object_r:virt_image_t:s0 Dynamic_VM1.img
system_u:object_r:virt_image_t:s0 Dynamic_VM2.img
```
-<br>
-
### Shared Image
If the disk image has been set to shared, then a dynamically allocated
@@ -253,30 +224,12 @@ initialisation process will take place:
The following example shows each VM having the same file label but
different process labels:
-<table>
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>VM Image Name</strong></td>
-<td><strong>Object</strong></td>
-<td><strong>Security context</strong></td>
-</tr>
-<tr>
-<td><strong>Shareable_VM</strong></td>
-<td><code>process</code></td>
-<td><code>system_u:system_r:svirt_tcg_t:s0:c231,c245</code></td>
-</tr>
-<tr>
-<td><strong>Shareable_VM-clone</strong></td>
-<td><code>process</code></td>
-<td><code>system_u:system_r:svirt_tcg_t:s0:c695,c894</code></td>
-</tr>
-<tr>
-<td></td>
-<td><code>file</code></td>
-<td><code>system_u:system_r:svirt_image_t:s0</code></td>
-</tr>
-</tbody>
-</table>
+
+| VM Image | Object | Security context |
+| -------------------| ----------| -------------------------------------------- |
+| Shareable_VM | *process* | *system_u:system_r:svirt_tcg_t:s0:c231,c245* |
+| Shareable_VM-clone | *process* | *system_u:system_r:svirt_tcg_t:s0:c695,c894* |
+| | *file* | *system_u:system_r:svirt_image_t:s0* |
The running image *ls -Z* and *ps -eZ* are as follows and for
completeness an *ls -Z* is shown when both VMs have been stopped:
@@ -391,35 +344,12 @@ was possible because the 's*etsebool -P virt_transition_userdomain
on*'* *boolean was set that allows *virtd_t* domain to transition to a
user domain (e.g. *unconfined_t*).
-
-
-<table>
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>VM Image Name<strong></td>
-<td><strong>Object<strong></td>
-<td><strong>Static security context<strong></td>
-</tr>
-<tr>
-<td rowspan="2"><strong>Static_VM1</strong></td>
-<td><code>process</code></td>
-<td><code>system_u:system_r:svirt_t:s0:c1022,c1023</code></td>
-</tr>
-<tr>
-<td><code>file</code></td>
-<td><code>system_u:system_r:svirt_image_t:s0:c1022,c1023</code></td>
-</tr>
-<tr>
-<td rowspan="2"><strong>Static_VM2</strong></td>
-<td><code>process</code></td>
-<td><code>system_u:system_r:unconfined_t:s0:c11,c22</code></td>
-</tr>
-<tr>
-<td><code>file</code></td>
-<td><code>system_u:system_r:virt_image_t:s0</code></td>
-</tr>
-</tbody>
-</table>
+| VM Image | Object | Static security context |
+| -----------| --------- | -------------------------------------------------- |
+| Static_VM1 | *process* | *system_u:system_r:svirt_t:s0:c1022,c1023* |
+| | *file* | *system_u:system_r:svirt_image_t:s0:c1022,c1023* |
+| Static_VM2 | *process* | *system_u:system_r:unconfined_t:s0:c11,c22* |
+| | *file* | *system_u:system_r:virt_image_t:s0* |
The running image *ls -Z* and *ps -eZ* are as follows, and for
completeness an *ls -Z* is shown when both VMs have been stopped:
@@ -446,8 +376,6 @@ system_u:object_r:svirt_image_t:s0:c1022,c1023 Static_VM1.img
system_u:object_r:virt_image_t:s0 Static_VM2.img
```
-<br>
-
## Xen Support
This is not supported by SELinux in the usual way as it is built into
@@ -479,19 +407,10 @@ For reference, the Xen policy supports additional policy language
statements that defined in the
[**Xen Statements**](xen_statements.md#xen-statements) section.
-<br>
-
-<section class="footnotes">
-<ol>
-<li id="fnv1"><p>KVM (Kernel-based Virtual Machine) and Xen are classed as 'bare metal' hypervisors and they
-rely on other services to manage the overall VM environment. QEMU (Quick Emulator) is an
-emulator that emulates the BIOS and I/O device functionality and can be used standalone or with
-KVM and Xen.<a href="#fnvms1" class="footnote-back">↩</a></p></li>
-</ol>
-</section>
-
-
-<br>
+[^fn_vms_1]: KVM (Kernel-based Virtual Machine) and Xen are classed as 'bare
+metal' hypervisors and they rely on other services to manage the overall VM
+environment. QEMU (Quick Emulator) is an emulator that emulates the BIOS and
+I/O device functionality and can be used standalone or with KVM and Xen.
<!-- %CUTHERE% -->
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [RFC,selinux-notebook PATCH 08/18] user_statements: fully convert to markdown
2020-08-04 1:33 [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Paul Moore
` (6 preceding siblings ...)
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 07/18] vm_support: " Paul Moore
@ 2020-08-04 1:34 ` Paul Moore
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 09/18] userspace_libraries: " Paul Moore
` (9 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Paul Moore @ 2020-08-04 1:34 UTC (permalink / raw)
To: selinux
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
src/user_statements.md | 113 ++++++++++++++++++++----------------------------
1 file changed, 48 insertions(+), 65 deletions(-)
diff --git a/src/user_statements.md b/src/user_statements.md
index cac6181..46f2846 100644
--- a/src/user_statements.md
+++ b/src/user_statements.md
@@ -1,6 +1,6 @@
# User Statements
-## `user`
+## *user*
The user statement declares an SELinux user identifier within the policy
and associates it to one or more roles. The statement also allows an
@@ -17,73 +17,58 @@ Or for MCS/MLS Policy:
`user seuser_id roles role_id level mls_level range mls_range;`
-
Where:
-<table>
-<tbody>
-<tr>
-<td><code>user</code></td>
-<td>The <code>user</code> keyword.</td>
-</tr>
-<tr>
-<td><code>seuser_id</code></td>
-<td>The SELinux user identifier.</td>
-</tr>
-<tr>
-<td><code>roles</code></td>
-<td>The <code>roles</code> keyword.</td>
-</tr>
-<tr>
-<td><code>role_id</code></td>
-<td>One or more previously declared <code>role</code> or <code>attribute_role<code> identifiers. Multiple <code>role</code> identifiers consist of a space separated list enclosed in braces '{}'.</td>
-</tr>
-<tr>
-<td><code>level</code></td>
-<td>If MLS is configured, the MLS <code>level</code> keyword.</td>
-</tr>
-<tr>
-<td><code>mls_level</code></td>
-<td><p>The users default MLS security level that has been previously declared with a <code>level</code> statement</em></em>.</p>
-<p>Note that the compiler only accepts the <code>sensitivity</code> component of the <code>level</code> (e.g. s0).</p></td>
-</tr>
-<tr>
-<td><code>range</code></td>
-<td>If MLS is configured, the MLS <code>range</code> keyword.</td>
-</tr>
-<tr>
-<td><code>mls_range</code></td>
-<td>The range of security levels that the user can run. The format is described in the <a href="mls_statements.md#mls-range-definition">"MLS <code>range</code> Definition"</a> section.</td>
-</tr>
-</tbody>
-</table>
+*user*
+
+The *user* keyword.
+
+*seuser_id*
+
+The SELinux user identifier.
+
+*roles*
+
+The *roles* keyword.
+
+*role_id*
+
+One or more previously declared *role* or *attribute_role* identifiers.
+Multiple *role* identifiers consist of a space separated list enclosed in
+braces '{}'.
+
+*level*
+
+If MLS is configured, the MLS *level* keyword.
+
+*mls_level*
+
+The users default MLS security level that has been previously declared with a
+*level* statement. Note that the compiler only accepts the *sensitivity*
+component of the *level* (e.g. s0).
+
+*range*
+
+If MLS is configured, the MLS *range* keyword.
+
+*mls_range*
+
+The range of security levels that the user can run. The format is described in
+the ["MLS *range* Definition"](mls_statements.md#mls-range-definition) section.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | Yes |
+
+Conditional Policy Statements
+
+| *if* statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | Yes | Yes |
**Examples:**
@@ -156,8 +141,6 @@ user mque_u prefix user;
user mque_u prefix user;
```
-<br>
-
<!-- %CUTHERE% -->
---
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [RFC,selinux-notebook PATCH 09/18] userspace_libraries: fully convert to markdown
2020-08-04 1:33 [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Paul Moore
` (7 preceding siblings ...)
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 08/18] user_statements: " Paul Moore
@ 2020-08-04 1:34 ` Paul Moore
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 10/18] type_statements: " Paul Moore
` (8 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Paul Moore @ 2020-08-04 1:34 UTC (permalink / raw)
To: selinux
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
src/userspace_libraries.md | 161 +++++++++++++++++++-------------------------
1 file changed, 69 insertions(+), 92 deletions(-)
diff --git a/src/userspace_libraries.md b/src/userspace_libraries.md
index 26ed38d..6db6bb7 100644
--- a/src/userspace_libraries.md
+++ b/src/userspace_libraries.md
@@ -11,8 +11,6 @@ source code are available at:
<https://github.com/SELinuxProject/selinux/wiki>
-<br>
-
## libselinux Library
*libselinux* contains all the SELinux functions necessary to build
@@ -29,91 +27,77 @@ The library hides the low level functionality of (but not limited to):
associated to files, sockets etc. - see ***attr**(5)*.
- The SELinux policy and its associated configuration files.
-The general category of functions available in *libselinux* are shown in
-**Table 1: libselinux function types**, with
-[**Appendix B - `libselinux` API Summary**](libselinux_functions.md#appendix-b---libselinux-api-summary)
+The general category of functions available in *libselinux* are shown below,
+with [**Appendix B - `libselinux` API Summary**](libselinux_functions.md#appendix-b---libselinux-api-summary)
giving a complete list of functions.
-<table>
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Function Category</strong></td>
-<td><strong>Description</strong></td>
-</tr>
-<tr>
-<td>Access Vector Cache Services</td>
-<td>Allow access decisions to be cached and audited. </td>
-</tr>
-<tr>
-<td>Boolean Services</td>
-<td>Manage booleans.</td>
-</tr>
-<tr>
-<td>Class and Permission Management</td>
-<td>Class / permission string conversion and mapping.</td>
-</tr>
-<tr>
-<td>Compute Access Decisions</td>
-<td>Determine if access is allowed or denied.</td>
-</tr>
-<tr>
-<td>Compute Labeling</td>
-<td>Compute labels to be applied to new instances of on object.</td>
-</tr>
-<tr>
-<td>Default File Labeling</td>
-<td>Obtain default contexts for file operations.</td>
-</tr>
-<tr>
-<td>File Creation Labeling </td>
-<td>Get and set file creation contexts.</td>
-</tr>
-<tr>
-<td>File Labeling</td>
-<td>Get and set file and file descriptor extended attributes.</td>
-</tr>
-<tr>
-<td>General Context Management</td>
-<td>Check contexts are valid, get and set context components.</td>
-</tr>
-<tr>
-<td>Key Creation Labeling </td>
-<td>Get and set kernel key creation contexts.</td>
-</tr>
-<tr>
-<td>Label Translation Management </td>
-<td>Translate to/from, raw/readable contexts.</td>
-</tr>
-<tr>
-<td>Netlink Services</td>
-<td>Used to detect policy reloads and enforcement changes.</td>
-</tr>
-<tr>
-<td>Process Labeling </td>
-<td>Get and set process contexts.</td>
-</tr>
-<tr>
-<td>SELinux Management Services</td>
-<td>Load policy, set enforcement mode, obtain SELinux configuration information.</td>
-</tr>
-<tr>
-<td>SELinux-aware Application Labeling</td>
-<td>Retrieve default contexts for applications such as database and X-Windows. </td>
-</tr>
-<tr>
-<td>Socket Creation Labeling </td>
-<td>Get and set socket creation contexts.</td>
-</tr>
-<tr>
-<td>User Session Management</td>
-<td>Retrieve default contexts for user sessions.</td>
-</tr>
-</tbody>
-</table>
-
-**Table 1: libselinux function types**
-
-<br>
+**Access Vector Cache Services**
+
+Allow access decisions to be cached and audited.
+
+**Boolean Services**
+
+Manage booleans.
+
+**Class and Permission Management**
+
+Class / permission string conversion and mapping.
+
+**Compute Access Decisions**
+
+Determine if access is allowed or denied.
+
+**Compute Labeling**
+
+Compute labels to be applied to new instances of on object.
+
+**Default File Labeling**
+
+Obtain default contexts for file operations.
+
+**File Creation Labeling**
+
+Get and set file creation contexts.
+
+**File Labeling**
+
+Get and set file and file descriptor extended attributes.
+
+**General Context Management**
+
+Check contexts are valid, get and set context components.
+
+**Key Creation Labeling**
+
+Get and set kernel key creation contexts.
+
+**Label Translation Management**
+
+Translate to/from, raw/readable contexts.
+
+**Netlink Services**
+
+Used to detect policy reloads and enforcement changes.
+
+**Process Labeling**
+
+Get and set process contexts.
+
+**SELinux Management Services**
+
+Load policy, set enforcement mode, obtain SELinux configuration information.
+
+**SELinux-aware Application Labeling**
+
+Retrieve default contexts for applications such as database and X-Windows.
+
+**Socket Creation Labeling**
+
+Get and set socket creation contexts.
+
+**User Session Management**
+
+Retrieve default contexts for user sessions.
The *libselinux* functions make use of a number of files within the
SELinux sub-system:
@@ -141,8 +125,6 @@ There is a static version of the library that is not installed by default:
`dnf install libselinux-static`
-<br>
-
## libsepol Library
*libsepol* - To build and manipulate the contents of SELinux kernel
@@ -157,14 +139,9 @@ as they require access to functions that are not available in the dynamic
library (such as sepol_compute_av(), sepol_compute_av_reason() and
sepol_context_to_sid().
-<br>
-
## libsemanage Library
*libsemanage* - To manage the policy infrastructure.
-
-<br>
-
<!-- %CUTHERE% -->
---
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [RFC,selinux-notebook PATCH 10/18] type_statements: fully convert to markdown
2020-08-04 1:33 [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Paul Moore
` (8 preceding siblings ...)
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 09/18] userspace_libraries: " Paul Moore
@ 2020-08-04 1:34 ` Paul Moore
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 11/18] postgresql: update PostgreSQL SELinux Support section Paul Moore
` (7 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Paul Moore @ 2020-08-04 1:34 UTC (permalink / raw)
To: selinux
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
src/type_statements.md | 636 ++++++++++++++++++------------------------------
1 file changed, 244 insertions(+), 392 deletions(-)
diff --git a/src/type_statements.md b/src/type_statements.md
index 61c7191..76dedab 100644
--- a/src/type_statements.md
+++ b/src/type_statements.md
@@ -1,7 +1,7 @@
# Type Statements
These statements share the same namespace, therefore the general
-convention is to use `_t` as the final two characters of a type
+convention is to use *_t* as the final two characters of a type
identifier to differentiate it from an attribute identifier as shown in
the following examples:
@@ -13,12 +13,10 @@ type bin_t; # A type identifier generally ends with _t
attribute file_type; # An attribute identifier generally ends with _type
```
-<br>
+## *type*
-## `type`
-
-The `type` statement declares the type identifier and any optional
-associated `alias` or `attribute` identifiers. Type identifiers are a
+The *type* statement declares the type identifier and any optional
+associated *alias* or *attribute* identifiers. Type identifiers are a
component of the [**Security Context**](security_context.md#security-context).
**The statement definition is:**
@@ -27,57 +25,44 @@ component of the [**Security Context**](security_context.md#security-context).
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>type</code></td>
-<td>The <code>type</code> keyword.</td>
-</tr>
-<tr>
-<td><code>type_id</code></td>
-<td>The <code>type</code> identifier.</td>
-</tr>
-<tr>
-<td><code>alias</code></td>
-<td>Optional <code>alias</code> keyword that signifies alternate identifiers for the <code>type_id</code> that are declared in the <code>alias_id</code> list.</td>
-</tr>
-<tr>
-<td><code>alias_id</code></td>
-<td>One or more <code>alias</code> identifiers that have been previously declared by the <a href="#typealias"><code>typealias</code></a> statement. Multiple entries consist of a space separated list enclosed in braces '{}'.</td>
-</tr>
-<tr>
-<td><code>attribute_id</code></td>
-<td>One or more optional <code>attribute</code> identifiers that have been previously declared by the <a href="#attribute"><code>attribute</code></a> statement. Multiple entries consist of a comma ',' separated list, also note the lead comma.</td>
-</tr>
-</tbody>
-</table>
+*type*
+
+The *type* keyword.
+
+*type_id*
+
+The *type* identifier.
+
+*alias*
+
+Optional *alias* keyword that signifies alternate identifiers for the *type_id*
+that are declared in the *alias_id* list.
+
+*alias_id*
+
+One or more *alias* identifiers that have been previously declared by the
+[*typealias*](#typealias) statement. Multiple entries consist of a space
+separated list enclosed in braces '{}'.
+
+*attribute_id*
+
+One or more optional *attribute* identifiers that have been previously declared
+by the [*attribute*](#attribute) statement. Multiple entries consist of a comma
+',' separated list, also note the lead comma.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | Yes |
+
+Conditional Policy Statements
+
+| *if* statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | Yes | Yes |
**Examples:**
@@ -134,12 +119,10 @@ attribute server_packet_type; # declare attribute 2
type ssh_server_packet_t, packet_type, server_packet_type;
```
-<br>
-
-## `attribute`
+## *attribute*
-An `attribute` statement declares an identifier that can then be used to
-refer to a group of `type` identifiers.
+An *attribute* statement declares an identifier that can then be used to
+refer to a group of *type* identifiers.
**The statement definition is:**
@@ -147,45 +130,27 @@ refer to a group of `type` identifiers.
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>attribute</code></td>
-<td>The <code>attribute</code> keyword.</td>
-</tr>
-<tr>
-<td><code>attribute_id</code></td>
-<td>The <code>attribute</code> identifier.</td>
-</tr>
-</tbody>
-</table>
+*attribute*
+
+The *attribute* keyword.
+
+*attribute_id*
+
+The *attribute* identifier.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | Yes |
+
+Conditional Policy Statements
+
+| *if* statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | Yes | Yes |
**Examples:**
@@ -199,11 +164,9 @@ attribute file_type;
attribute non_security_file_type;
```
-<br>
-
-## `typeattribute`
+## *typeattribute*
-The `typeattribute` statement allows the association of previously
+The *typeattribute* statement allows the association of previously
declared types to one or more previously declared attributes.
**The statement definition is:**
@@ -212,49 +175,32 @@ declared types to one or more previously declared attributes.
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>typeattribute</code></td>
-<td>The <code>typeattribute</code> keyword.</td>
-</tr>
-<tr>
-<td><code>type_id</code></td>
-<td>The identifier of a previously declared <code>type</code>.</td>
-</tr>
-<tr>
-<td><code>attribute_id</code></td>
-<td>One or more previously declared <code>attribute</code> identifiers. Multiple entries consist of a comma ',' separated list.</td>
-</tr>
-</tbody>
-</table>
+*typeattribute*
+
+The *typeattribute* keyword.
+
+*type_id*
+
+The identifier of a previously declared *type*.
+
+*attribute_id*
+
+One or more previously declared *attribute* identifiers. Multiple entries
+consist of a comma ',' separated list.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | Yes |
+
+Conditional Policy Statements
+
+| *if* statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | Yes | No |
**Examples:**
@@ -289,13 +235,11 @@ type setroubleshootd_exec_t;
typeattribute setroubleshootd_exec_t file_type, non_security_file_type;
```
-<br>
-
-## `typealias`
+## *typealias*
-The `typealias` statement allows the association of a previously declared
-`type` to one or more `alias` identifiers (an alternative way is to use the
-`type` statement.
+The *typealias* statement allows the association of a previously declared
+*type* to one or more *alias* identifiers (an alternative way is to use the
+*type* statement.
**The statement definition is:**
@@ -303,53 +247,36 @@ The `typealias` statement allows the association of a previously declared
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>typealias</code></td>
-<td>The <code>typealias</code> keyword.</td>
-</tr>
-<tr>
-<td><code>type_id</code></td>
-<td>The identifier of a previously declared <code>type</code>.</td>
-</tr>
-<tr>
-<td><code>alias</code></td>
-<td>The <code>alias</code> keyword.</td>
-</tr>
-<tr>
-<td><code>alias_id</code></td>
-<td>One or more <code>alias</code> identifiers. Multiple entries consist of a space separated list enclosed in braces '{}'.</td>
-</tr>
-</tbody>
-</table>
+*typealias*
+
+The *typealias* keyword.
+
+*type_id*
+
+The identifier of a previously declared *type*.
+
+*alias*
+
+The *alias* keyword.
+
+*alias_id*
+
+One or more *alias* identifiers. Multiple entries consist of a space separated
+list enclosed in braces '{}'.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | Yes |
+
+Conditional Policy Statements
+
+| *if* statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | Yes | No |
**Examples:**
@@ -374,14 +301,12 @@ type netif_t;
typealias netif_t alias { lo_netif_t netif_lo_t };
```
-<br>
+## *permissive*
-## `permissive`
-
-Policy version 23 introduced the `permissive` statement to allow the named
+Policy version 23 introduced the *permissive* statement to allow the named
domain to run in permissive mode instead of running all SELinux domains
in permissive mode (that was the only option prior to version 23). Note
-that the `permissive` statement only tests the source context for any
+that the *permissive* statement only tests the source context for any
policy denial.
**The statement definition is:**
@@ -390,45 +315,27 @@ policy denial.
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>permissive</code></td>
-<td>The <code>permissive</code> keyword.</td>
-</tr>
-<tr>
-<td><code>type_id</code></td>
-<td>The <code>type</code> identifier of the domain that will be run in permissive mode.</td>
-</tr>
-</tbody>
-</table>
+*permissive*
+
+The *permissive* keyword.
+
+*type_id*
+
+The *type* identifier of the domain that will be run in permissive mode.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | Yes |
+
+Conditional Policy Statements
+
+| *if* statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | Yes | No |
**Examples:**
@@ -463,16 +370,13 @@ require {
permissive unconfined_t;
```
-<br>
-
-
-## `type_transition`
+## *type_transition*
The type_transition rule specifies the default type to be used for
domain transistion or object creation. Kernels from 2.6.39 with Policy
versions from 25 also support the 'name transition rule' extension. See the
[**Computing Security Contexts**](computing_security_contexts.md#computing-security-contexts)
-section for more details. Note than an `allow` rule must be used to authorise
+section for more details. Note than an *allow* rule must be used to authorise
the transition.
**The statement definitions are:**
@@ -486,59 +390,46 @@ however, this is only appropriate for the file classes:
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>type_transition</code></td>
-<td>The <code>type_transition</code> rule keyword.</td>
-</tr>
-<tr>
-<td><p><code>source_type</code></p>
-<p><code>target_type</code></p></td>
-<td><p>One or more source / target <code>type</code>, <code>typealias</code> or <code>attribute</code> identifiers. Multiple entries consist of a space separated list enclosed in braces '{}'. </p>
-<p>Entries can be excluded from the list by using the negative operator '-'.</p></td>
-</tr>
-<tr>
-<td><code>class</code></td>
-<td>One or more object classes. Multiple entries consist of a space separated list enclosed in braces '{}'.</td>
-</tr>
-<tr>
-<td><code>default_type</code></td>
-<td>A single <code>type</code> or <code>typealias</code> identifier that will become the default process <code>type</code> for a domain transition or the <code>type</code> for object transitions.</td>
-</tr>
-<tr>
-<td><code>object_name<code></td>
-<td>For the 'name transition' rule this is matched against the objects name (i.e. the last component of a path). If <code>object_name</code> exactly matches the object name, then use <code>default_type</code> for the <code>type</code>.</td>
-</tr>
-</tbody>
-</table>
+*type_transition*
+
+The *type_transition* rule keyword.
+
+*source_type*
+*target_type*
+
+One or more source / target *type*, *typealias* or *attribute* identifiers.
+Multiple entries consist of a space separated list enclosed in braces '{}'.
+Entries can be excluded from the list by using the negative operator '-'.
+
+*class*
+
+One or more object classes. Multiple entries consist of a space separated list
+enclosed in braces '{}'.
+
+*default_type*
+
+A single *type* or *typealias* identifier that will become the default process
+*type* for a domain transition or the *type* for object transitions.
+
+*object_name*
+
+For the 'name transition' rule this is matched against the objects name
+(i.e. the last component of a path). If *object_name* exactly matches the
+object name, then use *default_type* for the *type*.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | Yes |
+
+Conditional Policy Statements
+
+| *if* statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | No |
**Example - Domain Transition:**
@@ -607,14 +498,12 @@ type_transition unconfined_t etc_t : file system_conf_t eric;
# an exact strcmp) it should be labeled system_conf_t.
```
-<br>
+## *type_change*
-## `type_change`
-
-The `type_change` rule specifies a default `type` when relabeling an
+The *type_change* rule specifies a default *type* when relabeling an
existing object. For example userspace SELinux-aware applications would
-use ***security_compute_relabel**(3)* and `type_change` rules in
-policy to determine the new context to be applied. Note that an `allow`
+use ***security_compute_relabel**(3)* and *type_change* rules in
+policy to determine the new context to be applied. Note that an *allow*
rule must be used to authorise access. See the
[**Computing Security Contexts**](computing_security_contexts.md#computing-security-contexts)
section for more details.
@@ -625,55 +514,38 @@ section for more details.
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>type_change</code></td>
-<td>The <code>type_change</code> rule keyword.</td>
-</tr>
-<tr>
-<td><p><code>source_type</code></p>
-<p><code>target_type</code></p></td>
-<td><p>One or more source / target <code>type</code>, <code>typealias</code> or <code>attribute</code> identifiers. Multiple entries consist of a space separated list enclosed in braces '{}'. </p>
-<p>Entries can be excluded from the list by using the negative operator '-'.</p></td>
-</tr>
-<tr>
-<td><code>class</code></td>
-<td>One or more object classes. Multiple entries consist of a space separated list enclosed in braces '{}'.</td>
-</tr>
-<tr>
-<td><code>change_type</code></td>
-<td>A single <code>type</code> or <code>typealias</code> identifier that will become the new <code>type</code>. </td>
-</tr>
-</tbody>
-</table>
+*type_change*
+
+The *type_change* rule keyword.
+
+*source_type*
+*target_type*
+
+One or more source / target *type*, *typealias* or *attribute* identifiers.
+Multiple entries consist of a space separated list enclosed in braces '{}'.
+Entries can be excluded from the list by using the negative operator '-'.
+
+*class*
+
+One or more object classes. Multiple entries consist of a space separated list
+enclosed in braces '{}'.
+
+*change_type*
+A single *type* or *typealias* identifier that will become the new *type*.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | Yes |
+
+Conditional Policy Statements
+
+| *if* statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | No |
**Examples:**
@@ -694,15 +566,13 @@ type_change auditadm_t sysadm_devpts_t:chr_file auditadm_devpts_t;
type_change staff_t server_ptynode:chr_file staff_devpts_t;
```
-<br>
-
-## `type_member`
+## *type_member*
-The `type_member` rule specifies a default type when creating a
+The *type_member* rule specifies a default type when creating a
polyinstantiated object. For example a userspace SELinux-aware
application would use ***avc_compute_member**(3)* or
-***security_compute_member**(3)* with `type_member` rules in policy
-to determine the context to be applied. Note that an `allow` rule must
+***security_compute_member**(3)* with *type_member* rules in policy
+to determine the context to be applied. Note that an *allow* rule must
be used to authorise access. See the
[**Computing Security Contexts**](computing_security_contexts.md#computing-security-contexts)
section for more details.
@@ -713,55 +583,40 @@ section for more details.
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>type_member</code></td>
-<td>The <code>type_member</code> rule keyword.</td>
-</tr>
-<tr>
-<td><p><code>source_type</code></p>
-<p><code>target_type</code></p></td>
-<td><p>One or more source / target <code>type</code>, <code>typealias</code> or <code>attribute</code> identifiers. Multiple entries consist of a space separated list enclosed in braces '{}'. </p>
-<p>Entries can be excluded from the list by using the negative operator '-'.</p></td>
-</tr>
-<tr>
-<td><code>class</code></td>
-<td>One or more object classes. Multiple entries consist of a space separated list enclosed in braces '{}'.</td>
-</tr>
-<tr>
-<td><code>member_type</code></td>
-<td>A single <code>type</code> or <code>typealias</code> identifier that will become the polyinstantiated <code>type</code>. </td>
-</tr>
-</tbody>
-</table>
+*type_member*
+
+The *type_member* rule keyword.
+
+*source_type*
+*target_type*
+
+One or more source / target *type*, *typealias* or *attribute* identifiers.
+Multiple entries consist of a space separated list enclosed in braces '{}'.
+Entries can be excluded from the list by using the negative operator '-'.
+
+*class*
+
+One or more object classes. Multiple entries consist of a space separated list
+enclosed in braces '{}'.
+
+*member_type*
+
+A single *type* or *typealias* identifier that will become the polyinstantiated
+*type*.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>Yes</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | Yes |
+
+Conditional Policy Statements
+
+| *if* statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | No |
**Example:**
@@ -774,9 +629,6 @@ section for more details.
type_member sysadm_t user_home_dir_t:dir user_home_dir_t;
```
-
-<br>
-
<!-- %CUTHERE% -->
---
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [RFC,selinux-notebook PATCH 11/18] postgresql: update PostgreSQL SELinux Support section
2020-08-04 1:33 [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Paul Moore
` (9 preceding siblings ...)
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 10/18] type_statements: " Paul Moore
@ 2020-08-04 1:34 ` Paul Moore
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 12/18] all: remove all the <br> tags we haven't gotten to yet Paul Moore
` (6 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Paul Moore @ 2020-08-04 1:34 UTC (permalink / raw)
To: selinux
From: Richard Haines <richard_c_haines@btinternet.com>
Removed image 24 and replaced with a table, also reformatted to use
only markdown.
Added a section index to see if useful.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
src/images/24-database-table.png | Bin
src/postgresql.md | 141 +++++++++++++++-----------------------
2 files changed, 57 insertions(+), 84 deletions(-)
delete mode 100644 src/images/24-database-table.png
diff --git a/src/images/24-database-table.png b/src/images/24-database-table.png
deleted file mode 100644
index f1d81fcb0c6852be8d252c7fd94a1445b38f3b34..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 44747
zcmaHT1yq&Mwl3XBhjb$i(w$0!AQI9o(jgrpUD74pNFy!X(k0TJ(#=Ndt?h|>&K>W)
z;TQ<=@4f$6YtFBxVXstVG0{lSU|?V{<>h45VPN3pU|?WBq9B2<t36JwFfbKy@-mVd
z?gob$$O#&~zg{Xzs&QtAq9P853+`A-yuhZ-eMS|IO3?Wc)%lYpp&E7#@hh&KbOQM8
zGGeZ5ns8X!KaaNp9}Ja84v!YNMZupHgHkQG8RZWw8A1f3Ru5y38!|dmB2TclWY2Xh
zQhUk04yqj+pV5{vkh_daLcb&Nc5c|sjhMeqHuU}d%h1o~dYF5x5tDDWLpg=B^Zs(i
z@MtZB(pA6NHLBvhHV;IJ##zJ+L*#nV`AT%briK@S@d+tQUfJJsD1X1QefhBM_Q=s;
zz+)|lXi;dt3=cUuk~Ugo^058!!R~88QaDy(Bsg+@n95A;eEYHO?Fa7NbmvjW5K3Qn
zGQA+~F%j-3%z~Fm@^xWj*<WJl1NOqdv_}<xc%Lrs;@?f7`2&?PeN{zp3;$Ns^+3C!
zpTdi-|Fh8EGq=8{mW}kudXqjE6S9Q$a~5e$zW0BcnvcE@EjbObF*GduT<bR@=V=YG
z)<o`4<b~+(9Jlx2DmJ!W%@0M9@{eMY@(o9k@D7qY{h<C;lb0Nl>-*<-5#tz3kH=2N
z&V0S?exXw8dN9UQTuMFx%e*K)C$~k%5aGkxDOOfHiZBjG8e69&Mi$=De7&a#VgXdc
zR41t0+$a=Y2VA$y&SRp7!U?*OkxE~9m~ODv?%ft_`ENTEIa(6}<0ZjWu8vD%MFo_s
zj_G(E*2PyfdeF5M#5MDd(y85QGfbFSakhxu?3GrM7%B@LHE!SvPH4a5Os&1yPHUdl
zGF&oSSnUj0@_W2Bbi10fY+kT$U%JSRdCG0kn8c?0U73IBr|1J@W57+ipwnzJFIw!&
z-4&|u`3OIwab^|a%{hq^l4QU@exXu^*<@*D+n%PbE${78sTPM@HzvP^7&Wq?-+f(F
zl)lg9^l6Sl_7rQ&N!OLvPKH}O37^BNgd2F&Z)eSu^|!%?XPv|`V^``}W=y-(c;DS$
zuechphn`EJv*9DpgbEGNWl6^H27F9rOORaUM)Ahm<wij>$2N=7YQy-XZi)R<o+0c@
zj?#M=o*zmkKj@Rs$oJ&^9&U=F);zr3T5=|`pNC<jSXVT~Jtpfpg<*DNdL1=&>O4-x
zcVW<A{CaE6#_zb^L)St*p8b4aCI(#TeA_j+8z)t<*0r514VY{J*^=h!uM6l>13#aF
zU(8`+az@uId+yWs8~WauH}sKM(>?lIv$tNT^MeJhg@$E3XgtC@qxA4PfcVLuyYsOn
zlL$5o;~WeVPN&!xgpNdp-qoa>MiNd-y7sMGntF~eZto8pR_49ch<C&vAl<F^R|{b!
z63OIC;i``h_vH(Rmw8#ff4-`xH>r+girQwPyK5GyWGLAsg~yqxmzf4WMQ}ut^j0P@
zMuPpjjBJ*FP@#Z31^sdD+%n7OO5r<MDtwOb)@5GftKMTAu~Ll$x_FtxT<BeER5BqC
z%(B3etQfZm8Xu;?+Q<DOys6G)#hJRvP0a>fmD?Ex9$N&u3D2Fkm1fFxYF3B+jEx7u
z7W}Ou^gAE&%0S!u8#w8O<IxP^1$?yYv$N-VhMl=2eH79Ke>US)T^TdoO`KE+Nt76R
z>*y%WuzSc;V#?58n|LF2f{l(#c9Sf)okDwah#Vqa@O>5(hj@AARHQWdU0LzRyBgug
zyYs_G(d$K1Aq>w5`}K;}tGCzd5ggxfXkX606$uXfbMgE2%}ZV*@OL5QL`yFF$pO#!
z{=03l2Z-rH_-j^7zWDXEEZh1yhMPlk?5FG8y_ObCscy?2-1I`8<l$Z)tQ=B%is8d8
zE7a4la9twU>O%wYiao4&4<Bxi8;;8xmW6I8A0NP#==FalXCV(L%JQApY%av9I5DqE
zA?Zg!zD5OavFW8YO>KxI`4&ksW%tzYae>js+pYrRlLMmNyis*gr@1<bF{V+bRkFUT
z<3@jU!((LW%}O0&s$VaGR^!#-!h*ZeY`3XT{|h30vk`KAN8dbIf~h;+a3wTr82B{f
z!k?~4lFyR6FyOveWKp~H{_en6bmoJvnMs)D&Al_yl5>9kY-JQh?U5&ZyP|qZWaiTo
zHL+p_UYG=VOc--@c$ieW9F1-0KYZcd<QPob{`NuZfd{hvnaRms2(zl%VIzwFyT04f
zG+Xn*x1*2nPf$kfQb6rS<3_2{>?-1#Smpl8G*0#Wcba{hBRYGd5t-hxS)G=~YZ4iT
zX;-Ay$A?>n_V5Ds=P1yB;F})E{w|aH6Xux?16%9GWWCLG6#sHDZrgF&?c3YK&L?E0
zrrOUJTfN+LTm0_>!B*<6FEr|Ya?VrPdi7<_yaNGdAB9u7?>))zw8T4E_5`fuHWt^D
zik344FA9c*ls=0$SUp$2r7FJfF?)$E=<hNGZ%>=t5U+%|y_+t1bJiZS6vCRo8gHWO
zl39B)&bPGWwqm<tHFZsD-{N>CtS1{|vB?46bd>BV!h=o@qdzFY%gYo!SI5vdVH~C^
zwnCB|crO2wB1zsiB>fr3tN~h7A%lmm6l>;1^OWch(Ume!U&tEr%=Zub3dUOs0YB()
zedcSee$92bsva-5Dj!t|CG>_$AS3>GmL<=+i*+bA{@VzLmL~zM?^yY@Ns}@o4{s!Y
zLzf?(@1w`43?saeczM9B<ApY^sOez%9S3poT(NiKRBoM!M08hw?(D+c58Z5EZ778w
z68Gp*ZD4$YeBs$!2$m+3ef|vNx|#mHa6oonD&2cZ@VK)<-9B!AJbGLEF7__kc4liT
ze!WW10)8+N>@KkY;>g}=lp)0G&eak5qTlkFoRP4q=_%fze<hAGS%RJFarZEt!Xr9>
z7tFOf7Xu!u9s}=-J-T?3Z~7-?r<a~2tG5FS?JS5N;^Z;s*xf5mQXCj^5}qP}pK~pq
z#go89F@T%D)}*9ZBSvHUr<Hi!(t{KBV>#09LPKTq_8041?g#pjH!+4J885-T>l;aN
z?MQh+UCNO8VMd?-CW>msv7dYi^!Sv(!>aBl4EE!7yKNy(Y?$e2(G;Tdk)p7KO2jGj
z20!%hx5uO7$Fg}$!$2Jb`wiUPNC_eu_Bm~eQ+LVFxChp;lyzh8k&uhJma82qAU%#B
z1p-Q>1AgQes>J`GQ*dWGbn((2l6@VST0bi^0~*oRXMuH;Tji-+P`!0)-jc`LDbvKi
zrw#bXC6TpT{eeA8QUXcx1Gp#V4Cdv6I-_~ck|7_}@E9OTU>*0Y;{WQ@HjjA9>#F3$
zPK!TG%>B0OfIGF<`L1LE`*ZdCu+bm>$Q17g*&UgmPCeuP`l`$8Tl!8EW#L>GI@{|{
z;{54cg>yqMyjel(QL|9jf9|sTiqyQnq1n*usMCq-X+swpOXF)*(P?tOyVIi#x8>@`
z-fX23>h54nMc<I82*mxDF_N!rko?Wn=S@7+9wC@WN%CuU@M^xrP1Z0xGoQoHWO={B
zW`pVveNNxp7-djjS%WX{Mg^)4_R-b2>0<X%K^4-#)S;Ci_)2lQkE|mzkWbxLl@i=9
zF<nwx@!pzYHnbxh-&rlaI{|kef$Lk{Pj$uAr9#%4p<GwB7bUWj>F+&R?8|IXQMFiZ
zKV+_%=&7|A)1a!sktn|~d1D;%gxsc-oKFze3y#&KJ2=Wvddt?=b5>k_ChUXO>4l3;
zH+Pi7qq(=31#2s2#v4tYUYn174D^DQr@cg#_(d^Os^Uw8Stsmiw)Lq?A-5j0+iPyv
zn*m!&Wy0r1Xx#O7l=D|}Mgf>{mO=H3rox5T3(qedM|(keGhfm?DF3GVBkjWG2hW#q
zp7%eC1%B9wL8NwOntBm`5nb@0y`e#2G4yWZM>}9~4Q=pA*q@^?r1D4xos>`L&#@-i
zGne)%TuHq!s@isZF_tocwPU?8y3wZ3o%IWL)+<)OCtq3d5PZ#v)$DjL_4PP8$a`$q
zt&B^(lHhmi^>WP-ny{?(`bU`kr4*e?CT(vcjYvD?xBJH)dtZxe5ZDZp^EDjTb#mTZ
z#JKBzEP6G=OcV(-3i{v`6VVefh!MZj<`02J1)|oruQTDbi%vs{W={(65ee_?g1i$^
zoCpqL)O(p$Y9^U+G>UNj`Rz5+0zI`!a-Q^I`@N<A<WwT_s**sSNAwI_<cF$6EdxOT
z^<_GOu&1u&h6FUi%RVS_(5IvktAHXsjB%T5ZS;9)>g#L98tbJxYc1}8Ps;qP%2AZ!
z%NYPiz1cSByzb@wSn%Ya#OI_FIdRmOf}s{SlD)G<sdy#veTOvuOM<U~?xatQ>EW1P
zq9Eb6+RirO`d7+)<V_sU4QJ%58`&kyiqT694Ob$Q`Tgp}`%lHVi4<@0;Y3b4;42i9
z*&Q7WOd8%cq3Anp(eiwFTn)hbUS2<6a)$ai2I_=mCZ;v~@ph?(hAfTm-D&?et`I_z
zU*k9{@?b7ahSMNZJwh-&@6z`V&ezLcmHTrwMZd9G8713OEHgcZS!wNtcL|LT?V$~s
zf63*wx9}8`UGpKIFmmhWFJ1e(0Y!#WPE#eM6EZ&)F>iX4Ws~6)u3rURJ>u-9jhP-;
znf|<8e75tm-?<OGaQ(_~;q*nn`)G6Ym^~--@DMXl>Ix66bSxu`BP=UF_r%^=0tKy}
z;$&3#xHf$AxMoU4Sf`iXw+wCPUS!!Y;QA&eX*9)UTl85>PtdLNlQss<MOj31FIhQv
z%1r;v{$h?G@`z3)l$v@R=i$nhvv4oKT39|9hv6M>YE?Vm$E%829e01Dwi&+>*a(P*
zOmN;@pY9|m(tr9^EXSDcAa#~DjL3{r)xm{?OdX>c_7UTPukN_{SnT$SAQ*16KP#Ew
zSc9%*`S#>|42IC&Gvir#oM+9i2T|!_83}s0N@Uyi`>QM1WBcxvke6L}nlvY4*S><2
zlc`c@%LUfE(t!#Hr>;>aVr#-QT;9Ibs|1{{_YMoaOlk^4$X!!>KBB>ijpkRYT0XM+
zsR*ilrK!f%L5YoWn6NDf-_&A3r$);|oqNl0@pZ%-=W*_QQ|q(4cxf5$g|i~H&UWnN
zo$JQa-mIOhQ_#j!kB}C*DZ+^gBniF}qM$ckn?__HVj+@g-)Fu|^2l$*mDHZQ<MyV9
zdy_jaO&}kNn;o72J3{{^L$M^vl8f$h)5jDj&jVa%R<1&vF*#!BPp%EK`aD_4cHE#F
z`+#^v@JEkaL_+P3vv8NK)CJpyj5*U)zumVBJ6dnOIR*R1>;2pw4R$@^8CC1|?*+Fs
z!m|J4^{8R1Sz9|{F=W_nHL8r!W0kcK$PM-5(L<|uOPBLtlmdbLxtx@lEclWDGeSF!
zyGyqFWY>}SRgQ3=&RUAqRN)pcXI!CN9^+*1R_5%9slof!%U`7~D!Z-3twDBp*3;T?
z+-5(p(PfJ~*25SV0iQ7TZJ*FNQBopC^BGEF>(<qb`1-o&%V?n30Nk5lc06#hJwa<;
z+ut)iwx3SbRS8AFk{w(G@z^gfwy^aZ756TroCHv`k)jnNa<oBm=PFYGHjY2x8E;SH
zwNAP#vJT7C#3+%Yr~Bmr%F1S`47L`{i6_mq89rCkI1*$#&EAgkBoSpDr|VTe>kF{c
zaSi}=zdD6nhtJG!(U#*@b0&3?scQR+<WT5_R^fK~-X3aMeWXJ#k<0DG(afFCo>f37
zkuz7wv0caT<IYNmkm@HzcTroYvrfJ{UTmuI+KiQTqNrrkh#gF5#BIGh8{+fZX3~&H
zBe!SmNu(>2!KQ@%G8`cwN?Uwn5J#45ZB%HVH4V$esqQ;O;bJ3Ne7?uUwtMq=eDw$A
zd6PwAhAtfpJ(Xe_0(q`Plwz4z@e26rM2RSSdAO1}3JAvZUFsao&el@eT&D)lO?pB%
zwUfdzOXMyC-AcPqCV*xTCkMmPDH1~F6lz;@qD!|Pd9`-HX+Go{xss&+xeCGRmyTr}
zwR;i_R1Zl~zqvM=CF@-ov;TAMlOrn>Z=eKUYrF6(i2;_@hn1d0%)7CGJkM$EG^NTU
z*a}^T8K;<L8gIEAEfJ*!0fhwz(yHJaA(K8KCQ^<o*`!G$a6Zf(zv7~QkNa$_3!OvH
zDptZ>j4ER)xGmKy7Z(;&O+P!FP6kzu8P{jTVITmTMmP?-*51%jD@dHze$bZ+U5}B$
z%|-azk2PWgpTX|RsmBEtQ~&$0kIZq{^x1-aoPpT9c})!n%z?#Xd-H$$!XS#xn&|C8
z&4Ax9ktw=ff;hM>2owaIkyt>=X*+y!S+#LqGbYAO8$;pu<Ry-y%W!ZVftKDx<csh>
zvIJi<vvJG6@0D0Y;iDHFAeb)*Ud_yjiS492f7wA5(OzX+%#z*$8il=*y4nPI-0*Mm
zJvZxS3`#FDq9J6%N*)}zxesbD{_EtUzR|3am}PwU6&Ao9&?y<&`4fpaMaL}m#ri7q
z&)#u<3KU1_*Q@|ZHa6X2thJt$5%miy8noOVHE-kAQctb2sJ|`rY~eP$i)p+3rOUTY
zfS0*}$}$0z7PB_5XLq31DwssG2l~UjTy^T?-p=&0tI-MZo7=-(W+Za-%zq=N*Atjz
zI7KFPYsvNe$2~FcMg98Zv+dRvM<rG1N||x!2hg9f8EFfG-4nQzUk$+TJhGHl2=xv4
zdF*7g8V!fY_ZhyHoMJR_dXj(gOGo-oCpy|}nDSmo$B9>VR+G=lx!&*cK*E1w%g2A>
zT}v_j?6~6h*b11~O^IAoEt(FqQ>$znghx{&cF(_Ybvoe>b6L}JUfcTXtp9n)=4!Eg
z3pU)>v!>C#onP^tP*eLF9XA$1$0I~etE43hNkm(W4;+o69(wgBh{#|U=?NJzvSsi@
z573K5pHvX~J>EAoshpB|pLE)7{)p{-`sQ?}hc<Xk&MN8Fef?JAmsP-@Tvle>Rhmp3
z3S1U4a#NYeHTApA+V|6g+hj?4PVzGVNPtFsOmC+w5=piul-ZjV!O_-;Ipjnhl-Qfe
zde)<lGA4l|z7~kLh^xrDb~SHZsc=02M{og7q0X`#2yYcWw^!SrA1<a;8#b1`_zAM$
z6ufmh?{9XpbnjB#PO&M2^F72VWgjD}a8P#iIAQ9xl62?KXMoN#Q?A>fFyneKJK=LS
zz&KFX!O0iILlFjFK`!J{tZP%<8&}nMay~rnCDgOy?w-UbvI7>hD>_?k%p0Cbv6&O0
zJg-gBnCN^)-|VjNOv0=`*{sa!Vpf|()-++?B<MelSE`UK+rLt#!$n*qIs;XiOK5K~
zhFbdIb*T5`v!whrY;MF*LG}~@M-$wmFczFzo4Mz8xShpndCd2IfO{_vvQ+9Zv9i~$
z30C9hIQm1xG-y(QXraEbalFBTbFyq@^|ZgJ?O8-P-M0X|^6xYiGFCq~(}9S__vC%m
zPyGs%iO|10gO1>9x~xp#Gk%lfr2p8_>TF%!7|t)Z`i4`v^=m9f){WHQ0nF>UTClf2
zr&fxDt2w7m88cCj3p3n~g6etKD~}H|K-aN9%8yqmabfRCTjHC4M|%zKJ+kGU@Y8|1
zoH=&ZCnG?Btx!(myUMzu&vb@LggcyM(3dejz8Fz^!Hff%Nf8@zE{)pPqt<H!UA0ab
zHoSOf@0`ZOH`3%eA%#kEyDE>LtSZ`kZs+&VEiSPHRzE`UoB0!2^nRV+9=A8M>wlje
z{po<%F~res!-CuwO=<X(K_nLQO+GHpAM56g&%&Q*AAxAw&?9LV#rw-ameR+C%tqv9
zGk(CH*$mL}fV{`9xDr_kk9>7vbymGCiQcQpPz8i#&Vpy;CI709|0sK%Z}NdiG5RvU
z0!YCct<+KHW8y0>N5X?7{g0NK`#V#g^1O>_Uj2l=zWNe5?^BaYtH~_j1~$To7F{O3
z4>y+lGkVT%gmwVQtMX5D0?TAFf$4ReC=b5a)kW1$F^orWbMzPLZR3rXfK1BUBt}GB
z+`b;pQeyMsM|h=7N~wuG)@@K%t57B&cXJ8eFAt^iuGW0XhCPj=c7gWv4M*_mX)oue
z5Jt4!naZrg&a)oUqed*Rui@1{@QThASjx>DjX4rlG;uS#$35rAz1^R9g{LIvcDe(|
zxCFFDyER{U3!o*&OMWJ9*E#M)rgYJ@txJq@-TtJ2uqL>r9tKVtx0zAiW>}`0>GOyu
zfXju4ipCJ41)Fqdpzt;tw0i2mu6P}{+HzCn8EYgx+}|=@Z=@gAFN^|&=41D8v(q5u
z^mu>0U<u$~)$rAh8CT2?gA^?ByKywiW$I#{wvVrx8aad|=XASY@t-nO_+}C8s4*3j
z$q6#!ByyxLtSvFcV5GtCxE;<<uMb?VF-SaSISY)|tS>bM*1*O=JQrLYg=#uKH*uhe
zkp2;v$*LLQTbONjpj>@Q;Ww%xd}xOB%AI{d_#Nx4UT7AhE8-N)1WZp9+*p4-MHF85
zB>?@YZ|GhU-}B*6T4s&*Z2Ww!TJ8d%DIwPx8)4YKF&wVktCOcsEs81CpMW0hJjonp
z&((d4Ph<N!Cz?AE<z1@i!?K20Hs{G{J2ikHZOtLUFwa7%*Y59X*4d8MZaw1ltbPwa
z(apvU+F1m0{(vCYLpsoWr`x1epSDr|2=Nn3MDbqi4w`aIj~J+g){{7FO!B{NT0NFC
zn>z5vOPe;KuW~_=K`7J@A$(V;YUltNzy&cxa6L`hZpz`i0XB=?{;%>4BQ+Y0*!QsQ
zxar5>llbS-@O2X|y%JKy!w0@mGDX#%mzZW~;)gJ+vpMwO$j&Yjvfw=Y+2=?@uyCq-
z5kY7X7(1Zgje8@iV1+*)-J|}MrLtwxw(Vv+5iGPF$wnHfpHE8U>LkiSyTERwL@qc|
zJNtVelfB1J)whKi$Ypm%(QzxSEDF)g>Uffg#Xto3SCb|&doh`re+GZer~PtJw(YL#
z4-UJ*S?pH&U)bHE_0lVD&`UM0-`<&OIfz;Pt?!Mcnk2Eeu{Fl(WN-Tno~p<i-<(-I
z^G*Vu`RmyA*5~u_8p~dBcQtpuv{wwqhS4rfVBH<)WsPQXwy#4tfBFIWoo+`x?9S^n
zEgV1VwMv5W3xx%iJW=_rX2t<=7P7AEW-Yg+4_de2!LH&DXHoVumVbgkZg2B5UbBOP
zadWBj{(+$4u4uQA&;_*zak}#E<)%M|=U?DZpFZdOa0pNnxFZ;}Z*u(ar8b4yze~5L
z*?s@&1z70DD)XZIM%2JNU0ZB>>H#=syW!TYPnQ80?Hg9K=%7@%ej9K2Sxl1{3Sjzo
zDA8c}sADxEV=B<2gfz<4Po`O%1(150st05(Wa--wyEVJEh!qs4t_4f9OMRS%qX>?3
zyzDZ&YB?XZHf~~8JFtlq%u@Ha6)q%C>F(+ye+^@m_zsAXeErE0wF;ZI>yD}n+tMqq
zC?;c&P&wZY<bP<9jX-r}@N9>yqhC+RQqHvyJHHR)3LEt{;sPgz@;o5C2SYsQxogH5
z0MFmG3_R#>qEVM&;gJw5@sZ%ed<)>cV!e$|Ax-pXGhvLG+P}4x4yvPD)eAnMzDL^z
zh|QWHtUy$etxm)H?Xm*CmP_>Y#~=4y`h9CRvkQ4SQg5pbt$~)KI(mKwdbcKyu-lQ%
z=yD3txkd5-3jlp^hA$*wu}*Qf;}qGy;v2A*6{94hkBHqKbWRN7m&jQ448^{Ob3_!E
zZ|f!04GiIq)eNJuiDdu2o4e`e-exGZnf#iqX88FPx$FMq%dhu8$_y#q01ks0IBx)X
zTcYq&<A2ttMl1<cBu}074Es%V7ulb<sAzsOG#!bq2t+$$C$(MoudiN|NEfPR*`?vm
zJ$8#_1EX*RpiQ0n!KZ1?k*-^x&Z|@q+Tu7r1(~!CGMCQ!C3qeUG4wfwtXZ-$RnI+V
zYbz76B$Z8PIDMCCSi<doV#IIKgK|3pgLRwQXy1}hR1f`tl!dkKJGIc2<9IB?FsWH1
z2+$rGA2)83xHV|xN&yA`Bw*`69l-CdnkD9Qu%Ja_^tNMVhO*LDBUUDWrc7olkXc={
z+l-2Z;!Lfgbc}!5-SiriwBAlZ$&$$z=Co#u=A}=R(nmqJ241VNNmGp3>lY<R21Tbs
zpLW%&KM!5s%DZ=Mbgg$kCC--M%8?^N(#2l$x&QFsyZeSB>H8v3FI+|OB1QPoS>rn`
z;AU>hZ?%1Tqv(W4`%`~gCYMI5Qip$)S^YqI5Ho{+kzJM;ddI}WM8?ii0!qg;)ltLk
zr{mlErnelFM`Pl<*#TYMZ;tklcN*s5_h*VRVgM9kDoT&LyXrILoct6=K_M&ki_oB?
z?^uUCoarJ6@Xlt#iaQLo7w?UX3W^H@mwH~whe$0c#eN3Y-SN#2V^<aGJ)ibdZdb!;
zbB(H#w}+klppCA*G-+GS!!x3zbk<LyKW7sT{!@(*$mJtqIL?b6oy_99yO6e=8!_-j
zrZV0=gIO%A&RIJZEu^Ir7}&GMNrh!a==^5E4E+jG;B!7+Qq`+a>3d&eeiqy&=J&kV
z-4x&cA;o$6V$Gz053yGZpBY=9o6yB|@8^J~UP%8CfqlcMUq8B6w*tb0h`l&RQlZ!)
zztU;N_I!y<cDM$XdyN*?>ELOK!?AKPKXsJR<+N6Vs&|XtKtb~6r2O5@a-fz{#mRSx
zf5;erN!?_JKYX_XP7WwUHal4I%<A3}cUT2c&jP=@{*&bWg)x6$GVTo=$FS}|>=!g)
z;Ki^0U6cQ^zW;@LZp52JbWy1Tu|I@*x=Nu?55l3+fuGF%5#q3=Lce7TB3-uu>Mfv$
zLLFHAI-eRG`V5^eMkam>IKa<~IGXe%iMoVyaikKEQ0XQ%A%FHOmjI45UtWMjNxXgk
zwP3L@&2A5>L0lg-AAia2Y_i)K%~%5bWBVWVeKinmN7FseZth#b%|_Umu@>UaX=mCZ
z5N)@hA%pYaE67H4^O)Ez>*q{tWkTqO%=%m}Em>E#TC}%v07|zuK;8-eP8=-$yk^LH
zgmQ6y20SojqXj=KyvvJHAM=0$AmQT{)Asusz7=n0H{f?H*e@oos~MnB`_p})iWWJO
zJ6qt`l??3weJ7R-Ak&?L1+V$Yu{i*19z{<dJ-|y|k4bi)K`cFt5pZ8h-C<25{l{&R
zfRjg|meHZ|r+eO=@2zi}E4Cg=yBPVD+eYU~&w0dLv9@&ol~c6nm4j*j=cs_v5kg&?
zH45M)3CwN>e-^!(70|vDhvL**aIs5}(~S-3HzzlVEE$TO;0$(xpOEiCvkVR6Qs_Fw
zrF5xN`wI>BF7?GMbTNDWodL+rz!hx-J?58fRVPxtjQi4unL1Ndv77wzE|aZaps%k#
z5!$74n|MJqS50K#-dSEVDm37uo#eghkIZmw%1exQI`W0r8Qjx)<vsvUFY8NKiFhs;
zv%H<o9((Xqhv!bFiroP;AZ-8;c>Xxqz;mFyY5U8Y^}F9iS@W$HpuIH!lGhB7`XV_9
zJRH?dsVKI2JdBAy+6-kEsb(E*XSf+OGr|q5P_7H~j;$|?Y+SGS@#i#wY=w5-%Z)y#
zeLboZkkBYr_}z0aH{=hGJpU*#3cz@28jn?+uIKLpTMq%2GZ^EZb6wzWkz@(1P>)XW
zxQCd27VHy35cBC8?JP((cpt$CNaujevp&a%e<JR~yMcJd=3XMh7KJ%tQO{c8)sOIH
z81+_DedUeo;e^Z0ZuS5d%;<d4bL=H}vpjU%F9cE$OJ9pJ-|t);udMh0TwAYxdeV*M
z28F~vJG7&fdcVoylY))^<hR~}OFrm}e7Zs5xl7#uC7#uQv9dH7{KUeQyX?sFd$3x$
z7?wJwTssE%d9Hy-18C-y+Pz*-<^LEx3NGDcQvOQx!=6S1*k@@}>->ohASh99+LS~z
zHC|IIhz<lNxwAARbZntafl(e-Zp+cym4h4D$Ino1?gQV2B6hQh*RWSo%CL45n#Bu@
z^Mx90Bot;61uUyrbQ0x8z^Fmq#MhiWzjrR6N|}~T%(3k}Qb2Wzic(A4I7pxoSIkGZ
z?!EbnV|srS=?)SmiCO!K_qnol!p67QAw0}3lu-M5uN(R!u@Rs78vz2vx4v5nmd_G`
zt&V}H*N{f_9oWEl{&ag;C2R@BAI5DyDkoH}1(P!LkAMDXAUtk*G5#9S@V9rgBUnK-
z_ABTZr`L*jFL`0vFoaxojVMDm4iGWNBaquSJ!Y$nugKqv<#3|a<?*ar9yV@#9;nW6
zo&P#n?cFU#EBm?j81N5%ROx-RunjWy>#Ln7#GD-nob#~xy^N!7q31kN&ZB~iPfB=P
z203Rza>Mp*;4x2+;}zy}7r-gnHop1Sk9bj~j8ja?c~z3T&UUs<gm+kz*a-LnV1hUD
z>`+u{{Z2t~hi7t<Qz@&~?K<yC&^p~-(qz556pz}s_o;QA0a#+h$Zyir+mO3mr0@g&
zQ7Hde0mjV`aq(uA#z9o1+zx6nRJK2SPvf)w;suI)yz}1F7w0z1B62UV?`)W?+Xy~T
zBsKqO3gW36>%-M=AH+!EvH1K^FnCX0iOfIoU6~w<3{z5G$g$otpZ92`%pA=J&vh*h
zjCn~)2eivmUII49&6bL^ZE%;aufIlQ^%LJOtJZvdZPIVjx*$<gK@+YofmtlG7UI5c
zndq4&`8sz1jV`GL4sM{Ca@MA1<RFcHN~!P98#$%TW!DAUtA!enjcE$QW1Nqh2e@_s
z;qCR&(q9w(+T)<Qf04Pg%w&y+ht;rmojZPvb;A5pn)#@9U?I${v&c>6VRZGMunnaj
z#{i&SWhJ`tuXxuifVW)&?z=I|Ov(kliuM-^)o4SVzLI>9_z@4A0;R$@Y6}Qd8|)w}
zbP~&V8pU~bEvX%Nd~h8J*_su@6cH%}hLFd`u8zl6BAbZbNyl;w2=*|@Gj0ooV*Nfg
zj-xOwT;oDuN@|tQqm~Y)JKj5-tKJmxwagMbP|KO>621`#z8Q^szibU8f~sj<vW+>V
z4rjJcPF;bh^$6+HdVrkOEhWETMWKuK<4+oUJR9Pu=OODPE*yDZTAq|{7^+R&JM=AL
z4aBNk@Bdsz1hC-P!Jg>i+%<$u`>vHVJ1{lb4|m_@v*BS4!7Fw#i6`{x+BNlF?oQAO
z5-wW;8Na3+`=>LZaXy=E^i)xb`TknXy7_+Q$<ju_Ri=Q?7iMKms;xXAaV0*y*8VDB
z-+GyJIoQErS*RvOCAmm@ew_*gp@Z8QL%%wE5@`|@l2@7$YN7XnTvlUOCnAd!-hgor
z_$6(eWzqLtJnIgoFvjolFiv;q?XdVM6?h%ClG@7oaTR5NL{>u19U7gm#=htF5t>M$
zc7aCMHuY595Be$nYB|rCytT04sAh!EpP;BAlt!DT9Cvt~s05xLk`h!DtmSlfl+?T;
zJ?l9}YN0G8bS_Z-5Snamxdzlchr{{08pwn(dh%UJOi~W4P9U}}YzybvZI8R(6^BPx
z!6x<!Bl^1qu2Y{oG>vv<9$PD~bTOUe^8T?ii21(NF$G7Rs&En0)Fz_3z|Re@i;Kn%
z4z{D&>O7wiI9RrhfI^syUmYvRBd{&Euo}M6hEDrqmpkrfq6?JgqHOIVzaFopZQm(p
zzS2GIMumDeJ|YLvr$e6IYeFZ|mJed5!nXzA#SYgEzWb@P33z%7-FU%@>Yn@#w1Bg*
z*@8#8fuw{)#aQLH)~Hfa&TxJ<ZVT|^XrD-2=67IA^TOe@>UxH8e!LyB--3;nrHhA-
zefsTyl`2xCDG(>0_lGYj3}kCMh-9Jm7XNMB;gDG|dC;|Fvn167#Ea#?N^xQ1V&J=t
z=x65^8_`4PQ@7gTG5^vcfty<|uwPcQPNf#YS=P_Uus`X_rd#Pn7ZZprm4NsL0XP0<
zqc$M`WeUn|Ydg$vVb!jhw*ZG>7X<eTH5Jo9j|=?+Di4pGcJ3$za~U5xH3>4VT<(F9
z$03N=*$#b}BmLA)+I~Y6u?-SoscZ}80nE3GvnfAb>hh(3^CpbI7QZ_Qu$8+9&CPb$
z(;tyg?kdEAE$PQxcEpD#d=m9`OW&R7XtZ&U_(#8O`hfS~LZ=i7QU3OLf9y9h5AT%`
zs>MFLJ71(qxe(p;&6Lj)+H~t}(%m+EbP)UW*l+V@S1tg6n60zfGnap^I1P$}N)1Ja
zSZTD_pC6O&fxXDxK*mbn2HM2|dF!R4kt%@|txOY*Ki%MytHi474L}s#fR|gtNpf0?
zS>~I^?3-QX**WTAZ`COsFtUty<?BB5#OB=#iE3$zQnckF4fd+D)lN8MDcn0GovWIg
zdsVB#43PsCFR;`{n1fe}6<emR<Zpc5knP+<Vi+jeS)am&CZZtl!J!Tz^w2N!q;Ffw
zg*r*W$tRHea&wMe-`RQdq^7(&8GjeBQcQ~b<+o%!+=@UAX?qMO+*M6rSH}k8A|jDq
zOyCyoOKRUdhWu2-v$PUeNrWa=WU9!Hc2bK_BLFB>M*Vq&ZKM+LaDfj<rA)j9uWUY;
zz?9g9O^iYQi)gtl9(yYs^pZLlX91{JBY`W0qDCl3^-sXfY!t@1y~%ZZ%;=|6*E4A(
zt~R>&%zN4>@n$zKTE&~dcse!F7-BGI+psiDghAL?O%mmWvW?e8P3C>UnK|}+C6-op
zUfulebhXkPbUHU6#j1>sgt%3Ae6#RoGtPj3u2z+3p)F*AOIEsoB?igX$+=1jRz$R;
z(Qe}FCv%>4KF!$h!LCM&N^~T%g!RwLkDkJIcT;+}b(RxOdL7@UJz{YRCl;l>6nrky
zRy{xbd>0gz#R_>Z&H3h<l#k}?tQk*ym^>!W@ZDvTEWOqRHVi{9`jdYF>BH35Ui-_)
zUK2osE2HueSmrjPf;+X4s-L3lq*nQfT<s14Tf47{MdG!}-`0KG*THw}LS>u{m!1rv
z|D7P|Ezo;yJRqVtsbe>`_u@|CW+ym8)&zJHcSjIfnsStW>KyU@{?t1Y#I+<{JF6QN
zvFcew>&+g<krJVpWNj<U2llcM$IQ6v`~d)F?FfgOD2EPoUPh;(giZ;Ti}dF&F_sCh
z`^izgk?@z~gdhb6k5|4utD0xh`?^_<WICN14!6-4RdakY?=I$lPtzs=pO~o7of%iw
zg>rWeh=}TWIs9_E=xLE!{>0f4lY;VYe~2gt#WL1xTFtCU#GHLQkD!Y5-C>m<@;h%i
zev)S-_K&`c@cdYdW6}X+g~szW>uyEVmQB2nt$8jh53~cyv;5wtYoT}o*%J)+H-UB{
z>kz0v^JY+6k8e_r#q^XnXpsBZVSqk4WgKB$DdpJPV{G8m$02HMMRaISM%5eO8d>7;
z*t6T#b%9%vycVyb#DiYu&5Xnr83&u%iI<68-6H0^MeRjIR4K1E7MkDs3uJ7ZrN5l_
zF<CKNH>8VUK2d!C``-Wh87XdMOzzqRB-4d(T?$j<o8D0h`dX0MZUY0`LtWI2z}>9}
zEUd4UQ+n{lPtms1(`(eFf{?BscvnBBG6^<Fo#duIQ)y*-_P>uI+~KSM?b=;cL+%Sw
zf+k;ybkbQQ-!}EAZ<D}ntGCXu6XlO0a!Kg9Uy}qAtv6+E4GH6WRxlF2#NK8iO%PqC
zj3bI%wpS-{^iZK4^66=pqe?`bCU}|K!elx1(&{$rBXtKWejYVyEaHDr-2dTjf!MjM
zVBbX{T|uhIL=5CQ)J-&JtMi5Rbm#-0aRAaA0Ana?<7wXgtbz*21R=~~QL`cuW0Xn6
zHQs5himY|L>imy$k-K5{42~*d3R_rV*C#_=bENQA4-rmF(U>^^Q(2vfU&U_59@9=>
z$4cO0!nxkm>>x*AWa^1UL9lEthF^SH$@fkeq{KbOIUZF#H%z$nt&XOP_NELA4n>H2
zhdmw|(uFeVO=9fWfoErgS%)Tfo|X`;ej^<ogp+^6G5Db!BI<M_$807l5$YrZCm)KD
zkDBNGvq7BhMhq7d2VD7k|5@K0>|9PzhyIi9tIM#rvz<jGklwtAGt4jZja|Q1IJd+v
zGA6OIBE}O(M=QW$A%zM|!dIZ4H!AbZ_4xMRQ0yd!v{2bK9ZBn7luEpKLl;A1(#}?`
zN*L;soqsbff3AZElJRZ!n?&-yu_BIha<t`<y)*dCV;>HQn0zaF{9Zbe1RsfrIFc0N
zh@-DRo_axpr~_Ps#f-z(wRfI?x+}w|8Bovo&_$ln`s3r=+RC2~;8rFKZb=tmJ8r>1
z&z4S(g>;%)(W64KUGCJYAR~(fGlJe%ljPJZ=!W9q2^1liu(8ef$oSI53`Xvu(W))?
zY)1~F-n_uw`t)D$9T0d0q>cNW-xNUR0D{K9DE?EU6_p4=wsj+F8C3At%u#Q}{tgq2
zOCryy+wlpsoei?oAKXISgxWD$GG;TZ5sNh2?fNBG-37z0Jw9*75rBs4{WhT^3^V#}
z8N$HLw|&GXB}T@g&~s=KBc-jukX^?$1wu)6R3`PojxjH(*B3O=QlTnAZkJd!yjdF|
zAUp{)E;A)RmlP3*E=LdIg9{jxaRtkA&JireCSU=~lqtFM%^Ja9AJmL77&iu>M0?GW
z%FvsM&p_=VV{O}PoU^E(AmwEH3%LrrGn1}Oahj^uensrmx)w0k?;#YPKYRiEpINg)
z)fPB8#h_L>%`Dv$STfz<@G5`zQ64_&-FfGp#4Z}GHw7k^CU#Z08hgU))Lkf0v&`Ur
zlltQ`LfkXqckU;!GWNvW3fhg?Yl5decuOa1-Q|pm-2uF?to$%h@S-Ci$2H>v<^bxS
z#v%n_MvRG^M+yVu?ofo)=#~H6u3UgbP&WyDp--^`7sm9B!j}SAG*V=e%nJSHFQ|;e
zbkH%8BS7hS(BW;wdQS}i6ACDOL_Y0e#oZ3(RPAY6OnXV7h~%DBFww<|`Mb-@*tR3>
z)gFkI+-@ZsF1{qS-E8}_SK1@YmR4ltEvMD~8$SZw#%1eiK53?-^bqcrgkU1-WS_2-
zTIw@4fT&n=XiiXbU{9k^I1%E15ihz-DLckU(g#7lq;gwo{-Nw@QS<f{+pP;(1bWSY
zJqa9^G*wUst9oQZ-&*I(FZK>nRbzzf8Baa&1b|Fp@9<M6;P7iiaFI}gVrsVI)zLvs
z_VZZs|5<QAdi$TcM8ej1DgY!2+p=`?*4Kqf)%0zwGv-crfLlJlMjpoF;#w}(<tLTB
zZi|6L@xIgJHd;$XwNJYFQ|(%D50reH33$9wV0H&7BRL-ei`_W>H`k1TSNV+%9K%TJ
zk7aN%BahgnUrw-k;!GG$Hz0j85$oW>?ZMj03kn}nU^t#awzL=UKmYveokQ`afMtMW
z0Mgtw8cUhc3eQVm?>Rh=Z2_}E-+_|V?F-M+EafMfKGa6&O<TY#!qr%2v_%|67&Qh4
zhpgKC@64RY4Aq=97zRm!nD_3qw6etu@i_J;$3|fh2JrLJd}@dggE2`hRwTNyKh3Pf
zj2mJ_Au3u;-EFydWtRCpi6V5D{cxb`FVHrw?b&r1G$`Xi>rW>WmhCnoixNF3<0wZJ
z_BP1TrLWU}B=Uk`4o7utD%$5(+0Eu92-!jPG+>gLZk%HHkL%`Zkz`?=9({Pk2p#*I
zKmc;|x`EdrFH}$Y4h+r(i>_`g@x@>#lXVDO8e!}HrGW2pB*v}Kot<xX$gpob<mU9&
z!WirsH#`O<xrdO`wX{buvD5QESBKW;co>i48-3g?74tLNrkH8Xp_SLi-4;sXGH(WN
z&=N5dqli)I)Jh>p$Y5_96QomPD#g6|i0TER3L|1qH!f$f;rnjB^4J90%v9)4?gs8~
zR}Wi=j~XxDPbzZM4Vb#_0D0-=&1k<j#?cb^&azYqV+FhIw2!pt%Zsp$A+!1{ua5%0
z&_R*~pzY}a`?;JeJS>Z{oukS*YmN9(d^3`Jv`P@&eh;w=(sD7WXwmu+f|~{L=!p-`
z|FHkdV#j88JcqBnQ{}OC->NE<QWN$g654BSJVuq;3uRivJ5vq52idzjh!3^lJYV29
zXlqro<YcG3;`^=tY30S(U}4p_>TjWaJ$PAT`5cs3+gd=2IOlSBs+k0KuLu_`yv8e4
zFxavPO@|e@-2rKgu6+aIL2AzB%kK+)V`C7%95@yb^L_J1jyP*}ROhY*A|SfvU`H#a
z0#DQzZNN>bN+v$Z66wcPY{T>L_Y@|~I_tIGsRU8udRALq4JjZ-(MXGmG-F>(rkYv8
zWm40HR`%~*f}2NSplSItpHc59!E27{kZacSW-FO7%E#MBnw1pn`T>b8Gn-7~G;rkd
zB9Xgx$xzjc#=ztpRQnH2LIgHo^yEq;5OvI?mq1z;!!KVlum2_!Oo7elJ9Hur3|7|e
z@0WI3+3?hU^Y07Va!{SW#H_Xfi<1Ffw9g^MAMM~&@k6(~PWwgucdA#M=f|g|<-dSh
zOvg%R;~;f%2_IBJG+mUFh{+LoH?EztPm1=xTJ}E_`f!OZSKMWUpl5`M<kT|C|3M4?
zDM|km)<Ee5&+&Yn^}4e(RLtl2;x*F@Ab^ZdF17H#8r^@@o&R{@zj?@CYC7`RDPD;U
z-f&D#`oC$)-(UaVPV-;-*d0*xB7ip`6)IG8BZ*9oAM)3H_#Axje|_n@Z)6^uu~#}q
z{)p?+h~Qh<MX25iqWYnb80_3H(7QR56GE{EA{aXw{ycVz0u2jx&Apwd8NzO^-62@X
zfMo|lkLpJvwOLJi`=06V*dmCE{PY2vw!(g;t-^dL>F5(WyTjo^gBwV3M0r6ImaH|y
z>o21zGCW5?i0s`btI2%%BQPlD^two;+-Vf_&_lwv@2I^-HwWUEpoMJ)I_<`Q4gGWh
zPbnT9s7GS5J)8<v!ks~8tH}$TA)5_Qia{V|+1Yl!mTP3UIPbHQ&z}p&=HoUmC;fRr
z=V7i8%%x6{jrpx2a@xbZLlxQf_~7LR=+LakenoQyDTpoIQ-CN6fGx0Kh00Hq>2O0W
zzf_6!zms-jAS&`+$`VAi20W;(cJ6?maCHxeSR-hAVwYq*)p#lbonSOa(e(icT1QU=
zR$+vHHM<@A*|P_7LeJS02v*J@9pwN<7ULJp;*}TCIa*ee3_PtGfa%%@e3U7kH0Z?8
z-(c38QcXhF<JN0UA!OMhFhiB1YmsVx;EQp32;AT|N9W)^=@56jnD#|hI~<LC3WZKE
zT<%S?{M*afoh*p3dhW37u`|biF5v*EDdSEnaB&8XJ+@Pe1_hy+9w##5%!sijP}aI%
zI|ZXs|3e@_{r@a8faCsa@rEhs0r{}P<9yqqw7mWXWP6r?p*Hfi3k0!PBS#9MEzHHj
zSPZfX@3vpwFwZcp-a(O@sQGpPY7v}LyMd*m^_-vXp&v}G?t`(vNr6T*v34QXgB0!z
zMc6HLsC-Fh1N;?U-GJPO7>V~(8V%LmXq|s2TZu-1D|QS3VZA`3CN#%6QX(n$ArQw%
zJ}1G*9Cjbw3O`MJdSpsnt>jy55Nj8Tx9^tXPRw5ZTEmKO8VZeXgY5#Jkn~R?T)7Vz
zgm8p9W;pyHjM)s<(SpA3%@&yS{LCGY^>7Qd<Qh;kMt@HgHG?|D-xj6ce+iIM^W|QW
zwh3wt*$Fh=RqM|^DnQ#tmk5s~GJX$)*efrPTvg_YBetmva`4OCAPuY)z@iYDjUwji
zf~Gz#j7j(BiHU-M9W;3`V7zb$CI}pn$z5WaLC<FvrQHPTkt#+)p=gBrIr~E@bmS5!
z@AuG<GS1R(KW`8ZvjfviwJWn<be%_d58Y;8t3+`B_69(>>7P>R#!A|~I2h6`6TZKg
zI&>q;s`Va2<2wdnEFo^Kz)Q!;u$8vt=-;_JnO>tj=)=?ny-$bMwF{uAXv9p7B!#zY
zmgVZY%IpakTMiN4PBCRwo}3i48Lzfz1B<D-wBq|<<cQt(--SoOE5^!<NvpjZOdJgg
zonrKLLpTKjv}u3W3ZxJBG6F%J+!^dt#_jjsd4bqy?VZ>7;{WznC@L-sZJ}XMH*m*N
zIp5kfZ4Ixx_+a;^0(<7AL_iaevF4A#Zl5Djupb)X&(=ZB3aau3t7qvWEPUL?GS91K
z*TcA~vcPUWE5|-<=5e`TsS#;L>d&fg+bj`{5m0C)+(X=@D^O?`%>c=l43m(hDuhm;
z(kJy-OC3qhmQ{73T?rqy3Va^#Xhr(M)?JQ5`)pfu>a6sY&<>4C7G!A$eEg<%F*$TV
zdB9#xT#jm*>w+DidM$pCxMkSbYqN~f{bbx7+?z}c8S`&{_%pQa<bWXy-z9>MiEXrq
zXIu;1*2W?B=HV{lcuQ@hp<mGPIVW*d_NZcP063a_48icRV2F~t){&~c7myihk>Vj!
zUcJv<zrLHu4MH{X>}vFci7fgQZAsD?2D3u!DTT?zHu?_volleJk=3dE(6xYS%{s6A
z%E_d|3IJqBpM{Scz(xAJPp9-gk(_#733lD4nB&|D32v~7M}JD~b=NT-oDEQR>ja=a
zP87NDFCLb`Vve*RxuHs_-xz?S7OCDHxy1Z1)QkN&9aHe*<<(m%1u21|wf^aQ&S;{S
z7>DjHt}+}%-USOF)DZ9d?&HTG<kcV?cOqn~u3`p=fuLp;HQT7cEEfVo+su;(pF0zH
z5>6~Qp+2k`$@!Xhbe-3}Paj}eop#=iuj(s}6aPWN`FmMBaoGHEjX5Vh|GX|-YZ&0f
z*89*#Qn8H+A5;bSTpzE93lb({R#JOlB6qojKw712(TowqIL<LU`|`K6DqNn(D|QR`
zOfF}rggg@uFGZCKWnOgX#@yDw0<$llv8IK}{z!96u`p>?^{!UM++@A_@e^S?)8W{E
zn_Y(Rz2>K&cU0p7e~cNjL&UuyC##Wr-6GmdcO*g1+}Pi{ejt`kKoa1#Ps1~YhLF41
zqV~35e3+EwVTG1^D#ZY;6`n+-`tKeS8k0p#07?H><@~4o_#e&r69Y@kpUZvALK!f8
zBfD_81h~gF$p5|hCKNN~BxM_aJZIJaH%bZ`j3%05_rm2Mvhdt}p-hJvM%C+f2D2zy
zXfo~yFcX!7*sV`K0w8tmViHpE9pW|`C&pV~IhJX62RTjbI@9^m$48!)ao@M&Z4@2l
z5^-#pR`r!Y*M*n9MfJ;vlks&gvHjzMa8<dt-c-JtU(1L1dB2oNd<V>Kgm^PwK7J7t
zT?=EN&Vfma#a*prJqs_Xb>}lt;Y00rSuB)o)#m)Z6+ScvNm!k9kt>G=<aagS`fxbi
zpMFO=>G|D5K^9r_3;%Jn7bVZzDg_I{najw7y0$GA3sgadqQaOf7o>G0e#~Ly#7`$;
zR#AS>KAs)6GQaVbnp}rJtwGaCu2e+d$BYFxY_emIcOC|biL3MzYJ!;0pGGjxG^n(h
z{Q{P6fWl)FX9mo~F05XI(c|X2UvG!5<c;bPOjA;>)=2CXF_aI$6fLJ|_9E&2qQ(VV
z!{YNuDX9v}TT_%NP%?+hzYQ{5oJ`gLn>TG@S|vlM3ABxc4@Zl0>z;#5McN!>Y%$9V
zV0ccSUIjz}zTNltX~{vdZdt23;0j{{k0Yr^^j+tA%lu4p5o;uuDM-f91_)$3!ud%g
zliBqT#IG%-^BaOGKG`!IRK(i1-<?G~b$;Q65gm)w0Q8MSx67X6gYuLq`ObIGqC%oK
zz*5NA6yEA-PacEs66`mOxEEr5W+ctVqq~8+G7`W<hLKnZtRuOaz6``boZp&q#6g6k
zP`mlu7$G0|cbuz%jiiWJX2kfq@OY|>a3S8BG6}F#LSuYq)#xHkt6!YgUJSf17xC8o
zQs<<a<Tm7_@>&9p3C4O5LoulN2M)^P&6r;qwpWe=@TQxWTo*=sL2UjWka7wV%cH4p
z=0ghC#wdFrWm_E_snBI#=DdR|7jt!x0;aKx9{N4GU-ENpqiW~{(@HnsJEntP@_AF6
zy%Fnp$L-?QtxpSAv%mUk*nUxJlSYfoKc{f~Cq{S4?E71w9mjD-2GgWFNUvE<mjHG*
zJ|5JME!Xq30e-F7GcWyS*`uOqy9B?VbESJt(LP9+hj^%t#|FhB(1yh7c>A!UpdczF
zry0z2&5>{g$DQHmZm=VrHO8!I2`N(q;$)zntysenuWY4*X(9TZAi^HeHJ@)%ZCxN{
z5?2KgL!qULo@D*f|NC`h-Pwtb)vv*+Wl@G9LFKSTdS&8wijV{y(<okOIGq)PHi?Js
zZin9)3zFYC=t_dZ5Qt7N&Hwgd`Ri^QELKo5<Kdi6&cw^K0mQM$4W18sKX=PqzO^{Z
zvG@C0Im(<&a$onET6sS$JU2bd$LlVCNAQk{0wZlw@pClw_|qB2HgLUYt<J=<Bw|^|
zt1A)CFr`0pjMeWHCw}B47T~m#W~(_y*Vdj=Rn^RgC_)#4{a4W}&E7kG5tm>-%C{31
zZIN!BD;n&RNAZZ2)OB`C^AAN!A+`OttmHC6l>b-)Cgmc&U<sVnx<#{<6=h5%SWUu(
zg%fJ>wP$y#=D+3?<!HZiI!o(1B&GND@)JiUbNJ|Udka}EJx&aYGCn|C%-R^Zv_XmH
zl0m>&fsLZ!tR`RI*d!INMMT-ytUSFw3H+6G@3Zc9CF+&sx}1y&u_OqmWvv~T3gcWi
zc<?o-L7%d^*qyjKB;pB_c6=a?!U-g-k_N~B-q;}N;~I85Io=9U`fU}^PS}EYgl#{P
z{u0%l|Izp2C$&l%D>{kDT9xJ(-Xm6b#Y12ty7zykKCOzMp-UA$?IG-$I*Nbku3!Ar
zbAQ?D`t;`5hrE|?WNMNzqV5dx&qrHdmFcSTx=<b+NV<5QOBm<8ns+DW%3sTGIq!x<
z^cr6k5Jzm^lqL3$;TA{&A^2^VwNkEc2bZA|7vV^0%_sGr82=Bw3EBVvja)ZRgVIB$
z6i#EQZ*S<MnBka4d{dyb?{&+Ycs&gqsDLcv^S`n7zY<~r2phEmr~A{TTHbOf6B1Ch
z8+Q>Ins#w?D933gg;}iLxW8=L$>i1|+fw2>+6XF!YV32JldoDPRMG{wPI&|2+rXs5
zFOa9P-nJreeuRjcsKOgV64&*-vCDyecLe^IhUb>v?sUD!_`V4zxZ%1OwJe$b3;&0;
zw~p&-+xkXD6p$8>4iQ06P`X1v0SPICpCC$ubc2K_DN<6>DWDRP(%l^@0+K&U6iFon
z<&MeT&pFR~&U@eUyq|mj+JbIazqQt!bBu2d!lre`1TsB7zq%J|qkb$|d`4|&4ag+d
zd?pw~@OQaoXS;mOu&2pat9+)I@-&d-?`f`EP0JZO`^VE#Z?Unsk0eCH*oZ%oyWO3y
z6kXoDNIbx3PpC9DEqF56zW3r4FOZFOk=D2k70!;HA}3(+`tf{M`KVqSZr#(hDiwKB
z0=`vYrblW77xkiNA28zhIhMkOjvb>275WoISosAnslxrS9}82`08U+6%@q6iUA7x`
zRB`>?=U1CN+#V^811a2BJf*kD`lqE|qN_QVGmNNF;<0=hcJgSWKd;=8*?aiv4L*BB
zw)TwWUjde@%k<+^9I^~0|JeaBv(ZZSAi>(mE@=L%fSBYJ3(Gz>`CIhP$!WpwpfBCd
zp{ocAYpncyv3l9CDI~pKPBosNefKxuF=y**g>feb>1{gK8^QmZGp9q)MDYCq^moE$
zp5Zco+^{LqRECqzV%KqIp!rY<n>luoMDR)gwf&!f1;1fh3W*rXjB%h)Oj@C>ux+--
zXYnkwAQ0?<ERYNf(YP|hIIEqtnc<3z=SP^GZL5|z_WIqy!Cqp(BNzzFm4EP+UH)&_
zNE5bo#&2fI+B2s61Vj<7%2LtFZQ2y!6VpbRi@P1IU8(w}SMUA1C-fnG4TGZ^5qF`F
z<@@YV|MiOm6Cf7qENIUXlH<Ws>#816xIpM{Kp+=Zc~LK%ZA5Axm9D-5{+u%Ks$m)<
z#-LO)t&i6QP4mli`9KZ>Vxz~ddnA7(YrFy$ckEVOYG`ST<=422S}2~n;OWz{8t-QW
z=rs|ziI7dIrejJ>IYLf5HLi$3m-Ic+Ky}sdGZEWr=<ubL%SJyo@AO<^eI;e?H*%6P
zBMILBGq?o&$F$_<q1p}d_2ZO)KDNUrb+J=f@>mD2UV_T^sxwKxlo@*PPcx|R>njsz
zGXAF?m;KnLrbS}nRRa(L`XEqtL77ZJzNq>ZH(XITP$}Km>0`EDRpkCFQK$0G?2zP?
zg_dhg?}8SS!V<sr2~UOIg6kXHh2X+knr03Rw+NNIbGL%L8K50DOIa_%d{vH8^9~6!
z(L4$5kIVWxkS_1Zc@F9+0r~3Ncb#ui#JZ$b<w=m7IPsFOFfrh&MbCQ;JCus^S>y>$
zFK`~?eWTEb_C}Lzb!<&NdSq!=C|V0H%{Y6NV@G3;jg{Nll5kY7^MyUN79bnOM~O26
zEXZr3GeU2fXHfk$Tw+DE1lv>aOHMUWxR+km<<~uE<f*rixwGJrYKxo7@fNzw#K{g*
zu5>MTC7F;%8{RslZ4NlXvnZ!S;vE?NKD!&x8~Pt95gSR&oS6imvA6iB@I>Ku0M3o+
zF%*7OWYm7gKhT#{ob#GY$IraA3B?fFnH0~BYp$T{&mlY;^0v*LP~VNMgEdTmoJIBL
zeU-4b_C1THknr+Kns)rmw=E}pa}ZGRU^M931)~Om!h=Pw8!23lRzF&khM-<EoDXtp
zbPzv!az<S&c-8kco2uaR$v6#cZ3)O?yj@S*j7Rn1zif^7Y<?oqW_F_86N<Ipb4VAO
zw1w+VY7tiU4CwniI!QTk2~ADnTL((oJ+}-f$y400C(1iH5=T}MKO2(edMxtXC$FX|
zwm*T#h7RO$GVN^3KHj=Udn$~~pNUlJhlVS(;-78x7y#Vj@2nir$1SBiFDg7Fsq<jV
zpSf^Z)nptLvyr^ZFK_|`O9<G^C#uT!AlNIPb^Y{?IX8~3Ex|ckeU9NFWm)sQ_qw$U
zzt_l)-O!>xHFN|k=!bkj*d>z3hHD>)h-{PTMM!8xTTOh=*%Z#28R*03<bJ%#N@|f{
zd?!UN?h$!AU7<Zb!5Qqr>>>l$rPm}cX`IftY5}@`%{1h+ihG-M>Zh;fS5E%ONqP9@
zcaFA?%CpkFoiI{4?p$8wYH0SRyUCLU{L~rE#4YtV*W91vK1bCs0-l~)H`8wL_ciYv
z$dgGKClp*VN@uz(u9(7`{JzUkwP3Gfz*?L_>7XCBoX8v0r6h#q?R!xt?&9V_+u6BF
zYZY{gD26dJ^+rLSMkkh#Nsg>XH#k6xC^ODeO4>G5!jk^s8-bTIsW)G&GGkL&qNq~~
z1vH5*Ot@7KxaY-Kq$f5fa^h;PRjb#zhBJKgv^RbEgv>_v!O>*q4buD?kL{Hh@#8bA
zyvZfei+bB9my}LdK5GB9^ihCr$)iYcD?~~_vcdj_*TYuTTSIC0gZ=qz0|M>#6)uHs
ze#zg}=U>}{ojQ-I4M3b(;@m65wm8k~#MkD})REO{7npp(!t*L;4ZTW@X*o|R&!f|k
z9XUf8$SjnAFV(XnopqGN-)ykC<tnZX6K#{x&a)YEPx7p+8K{OWYA1p3NThzebvc|#
zMuC<j>+$J=AH|CamKPb$XWstmkzI4CS!KOsX!19-Z$d<b=6E0_PG=CcyZ?i_KsjZI
zmcK?GSJjpYD;i}R%@ROd`}SpA=?=2o3MaL!eHL3xGFr@v2_?rez2Lh~8!~gbLo4O+
z&U@c&mlfJAx$Z3zvoSB)Vk6E?Kt+oWh&3O|sF{a(R|uZ{F1=no`=0OxBk|K2Rr2mH
z_DOUbM+-K`xRzF@5>Mi;zGL&-<KLJLJjdFn-PMQGhRre2TwNuubF{<V=$Q+cym0+_
z$E;v4$mwjvAC}c=9zO#?ndpV}W&>vW&_Xi>TpAGvi_p6AX~tp**JzcE30n0Pp1*KA
zDE0kXi=*PYm-4lJZkdqBM}D+eDEV&<7qCjMEJk2O1#J4yo&Aon_v|oB{p79B%h9JD
z6zGZ-4ZKw*zcv<3{<CF0eJ0$a*TRJDY<|dN+q0~e?sZ`LJOA6v8=q4ikY%^8Ui%Tr
zt`r@NnB_4k4)jsk=A`acITfvn_IX$INEjTuG`;bdw?XQfQc@1FX4}i%F2eV8*p1~y
zQTd@2wxQ>j&r^O$4sN^38PXM6dh>A#cWmQ(YJVuw{??KGAC3@>tEY?bp@{Q)W%-8S
zZ2gQH{E?G=(#GH-d<m35hV;M6kgjCn>^acZAU-O~&U5{~lEAYG0oE(Op&+6^hLN;_
zUiSIZ)g<yf%|*xX=g0Hzv@2Yx4b;z*n2q2i!qog+sAg%q9SGrg__v>ko)lrFrw0&w
zxzYOAeJ1);Avdq%e#E5v2=d+rliQsUz)fvA4v^(A>1c@Eif^k^o?kn4l9Ao7z{Pv&
z<u(&NqhoP=Mv=TVeujMXnOPOgO1Ly^<`xzDI)IB(HkN`tFwVp-FVSO42D5^1{zzxC
z?K|E@o+H~Na)MV-wduQebewfsO~?<Ak!BE(%WD)0Y+>irM-DkrO=4-=8Y0~NYcpP_
zZjV$pd<vyes>oiG4qtonwKi#kTQU~AiQjHrVG!QP_6?Bns2zt51Z`}E)}LL?IMe-m
zZTYL$Nq1NBLa-09PrCS<E8XCkmlHf<mlyC}C~3m~kExvP8_0h%+K@OF{<0#sk8tI^
zlqk!OX~w?y8CQw++As{)SHzvaMl*Kf%Rh!UyGYk*@al!iEBy{KrI*#0NzZImoxdWF
zB!C3st}DyerFV@X+V0BcLU7I?EWG~GMA+ko1X)Xo0=A*-5M_8L7r|Q^@B(w0fG^N@
zq0w%t(4g7s6;XewIYT9Q#HAvqXzn^a-}^iEOf7fg`s~B)73)d0y`SG+xEZU>0##A6
z3WEB?HBS&{Sla|2xY_<Ru4GA|xA1A#3piTqGpFxHLY<L*_(~vPo$<!;fXbQ+b^+~2
z&bjwAw~#LF??-O?B#;FxlS`^_7y0SBjG9E*T?*0hnWkZ#qhMwp5BL2vw=YR`P`fzl
zxlKePh=LRRPWp|}C(Qbtpo~0_6Qn}L(-B7*f|mi8sl(sOMYF+sZtN4|-0Jg=x=C*U
z<ZL=zdGB<9iJLvmN`DOg_QO$&+&w??T_~^q7iryp!?ylme$is$hYYUI#!HP~kGOmc
z&WdO?xAi})qGGsXD^&c;Ri_&_WI@>dM4;IBclpTNb+rbHD>XPYBjdrX{)Vq?Mmb#x
zYi}0_=3U3|{KymBcXXNZaz!*kd!Tka7#h9}r2Aryqrd`g?(fng`bnVi)dRStsr#zW
zF|A|6Q6R{lzb^CJ>4GtsEna_TX^dDvnH!7Cpsuz7K1eWk2wa)<LZUgzE(yA3$<BzU
zxqs9E_*&D+06a$k&`gsk6OB{Y!bF>DL7!p+>P|b6aXVlC{GvAcce*U^MRaUT+r3z`
z)e=olRX{Df0%r75UaN{327*n#NeUeMwl`%WlNe>WPoytd@MPTUnWY}awc;%IA-Ska
z2qB>XJyvT5C>|k78NqSDZ)@W>8q+vql7fl#B#hdKMId=o1Q<CY32=Tz{_xf7C!F$X
z2|8)Y$N25D#nB~rMz11srWvl#GX%{Nx8PG=9(mQA;r3R)mYZ?&GUCF1ht2v9>R|o&
zJ^=M5UUpa=Ow)mARM$a2eM2?gsCgBP?Gt~OSnhE4=kY1-Xoq3<h*_k^Re7Px(!$mf
zJ>SxgyVqpWQPj?yIP&e;d)`n{5~HD%<NiZtP-~Xj9gx`9weOYzE2b;jWDc~h4e(KF
zwPYUeheGCp57IxJNK4bwEFXK2dp3lyy?t-AF|xFLION+ClUNLgm@8aQi7l$6T!tkp
zc-M~8qa2b8BNaE+ek_l^uhV^J6@QIZ796`1pxAgo@)W;O(dY#2=oL}-MW>?JTZD4*
zDU-j1Rs-*`T>dgZ9*IYu!)gW48nwFZeX7jY`Z{jiAAblIsh6)c5$TGykhtt~tA1@+
z4a>5XZedl6Qtj3z*d)V>;=WrsB70@rbKjFKj+!N9@i^hjn9#UVe!R(~lg3>ABTJj~
zCu}Z~|Cn5+NIsgElQYro>O^jc0R?j{&Be>SIi(;8iTCkEcV>u}<2y!!(~JDRPuh0N
zp~$Nk%hR7TfiH0Dj0}Ym4uF6vTB3u(ug)^B=HT5vk^*5Le7j7Pcar-EWA>qXEmKZ7
zbzb(){90P=>1nXBmPgMy`Yn1?W8M#FC(m3y$gA?)j?k0ZE8X!+ergDsMT1{vT>ZOi
zODU_;A3GDt6=-*+huN~@1bdXze>9Svvbj9awR@e7ryk2%$Gv^>=JU&h_u~TerKHV0
z$wJzgbGu*7Ft%S6t~FF`)S%;i|D@~s;}$|8DfPb0Pc&O=JHH`0@)qGNomrB7z)gjK
za-SKBfR_#@rvfLrK4CvCqLRsgHh{Fsb=5|m2Q{lVsm>pldLT#^fIGVvO(;l};!o|H
zi>D{g>({<U6I-^o^*u2m0A(ChgHA;601`X#Rr_Bs@4*VP8m@Rf(h{T3Bc&G5HDFhh
z-MYtLLnU+J`$Q2z82fQSUs$IDB#ffG4~cHGt6MbCRi)!7H2aA5%`waevdXUtaB=WR
zi!K`x1WlHTkS5*|mJ4##Yx6NUw`#|$;*N*yCyy_G+`dM4=iMj3$C@LU<l_~YoTGo6
zx%KXu$~pdM&f;75cy1$IXZ{OVkry9J1y$L+si~A%CYkaF7je<!q>25)#Zp7`lg3*5
zyEIY);)p(ZW<c9ZmgT;07Z-SxWoylR8mn+If6#2@tZC(Z>@(l<C#UeOgAJl+WpZYo
zwvWMGiQK_>>x3z^Qs%H84Gur|cR>{1@b3kY4OY~{a)Qszmn6^<yECxXF0b-eK_vU-
zx9~p-BI)Ct@}df=)!{6~n_)QdY|rl2<eaR3L31pnR4`<d3Hx6kL)_6m5M<e+^{CdE
z{!;&PLXk@0=<A*|Gj@8Kc}drZcNx7=tq<JBGRRrqJo{I9-@lU^Q0feSCt|(wx}k=2
z&)<*p%Bjb5B2^~<__}=h_1%+~F&&Dh5Gf+}0i^X%Ed6(fBwa)6vA&Of<Yj@N%`Cj{
zPnY{iXMgMZkTS`;F*~=Q!G7-kpx;6`!(~(Mi%cbqf8a%<NgCn7BMvg$WeoJnI_+|4
zaNyN5e%XgcPFt{@m+z;5jAvH+eEOjpOf&X=+X3vWLZ7H|k{p8l4U*|zobo=wcPp-0
zArS9Lu<vmT)q`0ks_<8~HR}Nw_qM$YHpkZLeRGd+d(E1%x;W505wg^~X?&b4oyB{{
zAgge))+3STKK9nv`F{BTVy-bYSLq<OP<N}VwTzrE_#flS`w`r?X6Y~8)%aV<xAsxM
zeZyD;<au%OLi8+2Wixe*kCciS9`pmNYgYH*$om5(2^T@KlnZ%<PmrjwSEv<*wuX`|
zYTEBkWU0_NzPd%&)OMWaxEs&UNz2EJ)51@-n*zz}f`--#rY!{RaqYpra&DV##ck>5
z#d@PPlKHzX11fFR+|sWK#rvwUC$_+;?tCG?G;&w4X`9?TuVz+k+~&j8S#9F^8yt`;
zBekbM8%8I<A%5pn%+qC%dKBZ{;}?{imWsr#g(?L0SA8pBNYN*M_-dSzEEj}Js!g@(
zi51&-D1|58X6Hmmjx)MVKOSblJ743fD0@kY#vFG5N-s;dBY~cU;K-|n5|Vp2)gKP4
zkx4IL_|*d92F|Y4bu9wCQCiUm!HD$wcc`Ov;~T8;o2|`t{Qv9Td6H2fc?B4T%^4ic
z^cVqA=$vy4u`RVzzsrIGp5rgM!DmNaf88awk#Bt>ZT;@VJUA(?kbz|;rT4IN0FLIh
zAIfu%Y^nZoq4r)H*G-<J%LKHT53HAVlN(Ck;3x*Zu8TB)c`d1Xr~Yjou{Q6x+-k&Z
z!#Gav)O{qPpJAwR#a{m<bFdq}2N^EC--Vh_<Khw9C0Z3f{S4VDy{Cjo7&l3X@6P2~
z37(ztlub~4PyVo|?uD|a9gq4d6IsO%X}Yk+GD&&XivGUi1xps5Un+m4Q?Fc=S4#4v
ztu-8a4LY%{f|_$tziPgLt<|7eGiejdCza583)%|+?Uo+}k=<=E`w$Ri*-l%>CDQd;
z6=Y6ATXd3cg{_@rCl=&P&Pbp>AWej3E9h~+0#G2YskT71a^n}7prp+2AKF>Gt4BTH
zV7@j29?yjR>yF1)4E%5K`7!HQjClG>gR3NRjr+ozFCW{R!ufvNxt$maFb8kpG(t%B
zz6ZKX3hLJ>B9rA__8=D5oZh0K{#&BMc}njN-V5g`M-k%Y$2&S6A^VIx>+0dv{L4!J
zKM12VkEM&93bAVQ5Z`F*^Im?r`%Qkte6-wl3XGMz1vEbcyRIxDSvj?^NU<)9_9eu@
zSxXzc9-xjmK#cF<E>LEpc-@GE6P7fL^iMumHeZG4ab1&`n?0}2*^rEUoP2vvrg|Hk
zxhB*vEB`=`Q5KpA^j4~Mf$^qM!U@_C%#fRV1xvpqxIgn}3>KvmY1AdY3x4jQYZs~0
zrvg<Z(n!+t(B@f9)zu0~Ry<!DPE!|OI$J``v>KMvI08iJI0zlB4vOLx*yaq(YHe>M
zh}haJ+-_o8rrq^}=0@N|H$LfsT=!Arulj6}lRS=`8>XO(3{J@8*PMivr$E$v?uMP-
zG2T2`qbJ|_Y`J#P$vSzlR<oyipoFK5y9cVZ?}^`dt*+U|F!PWov3{Ay{y8mpR{*jR
z9QW}=@j_-VJP7-*i=CVoB_Y#zZUBm$cfj7Qy=#LW2d*EVam!DNxYn(Pr+A=iqtxPk
z<dnruk#~U45g8fgsWnvk)y?k68O2|Cb?GmeDXa3aP+ICn|Fu`DRIpW(vp+FlW|h0a
z5iI`?<Mx9Xa1VZnzjSIXs<YMSf<^4dVLY$}zd#Pg+36c!#q;0DS1fX5kL=KRc&llS
zzPh^+6PgDf`c9VRr-Dw~*mi!L9*R30fv@l1D22+PJs*@B3!cQ`arn$`X$(RSqTNf4
zpRPcRoZ+4rcJuxHM?tnu*iFp!?mv;>pc|<%FHY#JF2BwecFB){Wp<}%dkzwCOUUY3
zotT(pWW1;3$jNGauo}ITZTPmCa7$9$ueP%4?n~aXV}gUwW*|*=frRSCWJ|akvT)oi
zIOi32-|Q)0s#a!kdhtnk`VUUkD|3<5YZ1`Q2om17oOZOhGlGx=$P3M{yZ!|I?Ij!q
zsgDUeq@WA#T>GKALzqG>qj$%5%7dawId^TByw3Jk6CS=??h!#+!79kS&9cr2NmVo=
zSZ-Y>F;#Mt3jKKI8MoGw+iT6y9h#WX184xh5}&83?q0fk7zX`0iTSL=B+A@mV4k7%
z;DNr@IFZV%C(giw&+aBu>gtOHQYP^aJQdSVw$Q2PjLhFWQzZTM!2ejE_zqt3Wl)T>
zl*5<0{V|~d6>ZlUVo%JfT#A$8sBmVM@vgCcLOhF_tZE2Bo<!lKE3oH<+nSJEMpDwE
zqYc-+=x<=D1z<~d1<k@a%6S7%pWZ0Yz~o{W(q^8e27a~~zq?r=DEXt#LbB*igo_jd
zpS#S%mg(*J`;DiqU%l4Y-%Kwatmsy_1?WMtEH1gje9Y}J5t5@Vr&60%mqv<=Vm4<_
zsjeUFc+#gwh)VOVubcKJu%BXV+CdW!I#(l*ciwq*a>Bd4KYR*ZY`OYH&=JKdAI$FT
z)Sge-aR)_UQF!}y9VGoK?uEUr2bI<GXR^+gB?fKIKf6Ki;aC*Szae~Hd&Pw90@NfG
zj{-#wot%$epC5r-7Fv9hjCa^5g}O=#r9`$@-8&ye%6=A{XMn1iqUpB;j^6cXT~EU<
zDetV8<CA6MSW4}voogVGyp~{bV5qiB^X<WrJqx(oHPrxBVdY;lI)Bi7H?{<+gQW)+
zpSG7rONItQIuz<^ED20-<El3l?!7Ot4KjhXBuGaXzZI^w+n)VL-taaqWB9p9qucm8
zq1l?q?mpheV5>L3KkySLY6?~2{w2j0aG>TpNLdwkavUfq8FTQg(%%`4gZ>!R)sbdx
zpXC2m;zsnBK9aOZTu3;5w)f*@2x+JiKjKG-n5&=rBR_ElzPJ+&t^d5-%n{6X_%qz#
zv7F~|2znbBpd$>ADk?3);vkMY`;XCWTsv@&oh7-k{MF}xar;6pcGKt+{x}QKz>fe>
ztgV0ecJ(L0Ch5$;Ko?%KJ%Iv}?SgM+@N9?S7)z7b6G80*R*M3>rb&n8uMKbC7`|$w
zOkt^(PJ2Q8;~newhniAD8wIQ}B$s&~4#8ddUxl;(RzUvqSOF|fsHOLYT+oKX_uvk>
zQ;(g%aor{hNQL!>Yy$Q4V)zG0D*N;AWR8E@1OC0F{of&fvYSA2v>71EHu?QNK&-)k
zsc;qL|2MH8|F=K<e{f9+2b%{ij}h1i4Duk=U{Esr7kzQ#^l=E!K;LCOAMpeg+UToO
zO0s~`pl=5ezC8Tk@YR*$TFCQ?zMb)80Yy(DfhyMSum9W6+(GaWI4#G4Y^4t*`s<rl
zqU2SOwD|D<Im(3!c=VO#V=4r2qOV?ECIlh%;kW;~lmuEZN4lI#c8Ub7Yi}INmTw^R
zq)m;4vShbK>gNY-q#9mNR~-jjas{2mQ-}J|8|a5ULKl05avEf~4zSfld7ujKC=vJc
z)`aUl?FhL^5V{;HkbzDe>0A1k`{FQ#a5hsR)B)^|^&YS-O`sG?1E6T0eFpMuB7ngr
zF6qUpG)gpv_tU=`gs>CPV}D196Wh==Na$U+s{a1Y1~iGiPAvThWQf(7diae8&8Dcn
zdHe21l+0%XK#_7E2;A>2Pdwd*@_o@|++ML9@b2TTC*kw|2}HNVe2y3b6--0hAP8b1
z-i%oUq`M#J(g5gaQ;X+sMPW=f5QAd}x2Bql9UW~<i`7s8uE6f#1Uh-|`DeI<6Zk;0
zS#JZ`e5hvm18_mN4d?`&;I34Co2Yip-tz>Fr40ls*&~CbLoZyFO;_UWh^-MLvTZ0D
z66F-eX8`FEFtNh6JdI_B>$?(kczrFri4HJQqzW!TLKE-KJ1dLe4gkhdl0Jb6c^fI6
z2Qw9`dESjQH9^RXaH9M9fV^#t=X&b|Aj&EG_do-K`gNWHP6^CPvlT^&CigCijj?uF
zhU`8&%lxufrUN7ph9MP(i+q+;Lj`vwB&ZMHC-nAZoNVsthGa@$yKE#99~*ET;%){F
zR^1uTE<RXPOBVkaTe{w>8gg%J3qIADSmBWJg-TFV_JlHu4LN@qXpE+atw<jSi<b29
zRRNfcQ+X|lV>Dzq_(H)Kl=b~7Ta5uBXNe~bJCnm*>-NZ5OpD@3#*m^G;DzM{xXCC_
zbJWYnEZq)b2AYx7%NbOWy-8y4kyZkU=T_hZ{3G%lUh$wK=&c{@7=>z|G7IP3l($Es
zEMX;3!{>i1&RjE!xq0ig(<NGdW2Fs=ZZAYC?fC(2RWfwIy)8BuA-_xs4NCQmU-gh+
znqcrW0%^Zt2u_|Bl7h@U|DUhe|Jmw0T$E@dxbn0Tl36FTRCwlZ-F5!BqtW@g+stGh
z#QqKt!{7*U2(_O9rJrpkiG`i53dHF>D7<bx-47l9$q)mAr1#IrKAykl^)se*6>WKB
zF~<>_`WZsv$Kig{vMA3(Jdp#+`#ju9<k>SBzg@pOI5LGG&hm#k=dr(TTDkWr-d#Ap
z#1A1}pX$6k9JfMB<}@=ET62WPg!O_9;aU@pU8-4oa-s}PPAW4WYyv>i!3JDLD}I#M
zmHH~-aZRAqRe0trfA%-kKSAWor!18hb333ypI~(CnL)XHu+)gr6q-s%#Tb-MK~i~?
zBn-KBdWX@9g%CSl0qb5$3?J#Dw?W#k>*;;)+qE3Fsj5)nF;20*5`7p?;|l(TJB;Ky
zXbU@`d1;_nI=3Kww!tGG>YSJ+L^nJWuvnF#|HHJS4}BO9w~Dy@-FdELHtaTlxs_--
zlK85mBUF?&{-<s!^&vgAs_ZY=L!t^Jxci^Tnc#wUgdb&sRxk7>RuAXvR>OOjJG3rm
z+)G5plm$wPJAn^iCwuEeOqeCG5C7059JZw~A<N;O{F;rfl{8;c2go4GWvYjDG!8=a
zh@=Ck4l0l@V?+3?$}g((3|Vg^qMstLZ1OuSt>PauVv??a9wYEuwXZiOAo|=!)P@su
zLAt-5bG#%=#td~uu_udN_mIWRN<-}wSS!*cW$eBU3*mDzcn!C_2i{rhmLs1UM4VKi
zX;YxWd=Nh+rQ&@mcoWk0jrz~r<JxR_3)?&OBCzk7UpDRqasSNKaPO0gty!BpFOwo?
zfil{vAqlQMn(eeFAkOa=+pV1o;6=#xqdGhIMYc1|Q8|!n4(VgO-=8#SDbg*sxkk%G
z?pImA0t`z&zw)DxH*Z(M`#XV@n_CC)97SZ`0r;HAtBh;l0foz*#kNh@f>6Tg#d!BL
z0bZEFBLeB)+t8uKkt2JG>V1!5$y{ledJ?k-*e3RVIhs**@MpVzYlZoMloc~nd2!PT
za=`eqqOTKux(GFOXC*86Vajb4EZ%o)<Z+wK!n7B=OvP{)P>QHKpajq4{XV(jnzaGe
zZ{U;c{n}!D%?tq)`HnRF_ZyC==!!cP6)Qb#HNKY0ZIXGz8KzEb7y?c$(7FvSvLN+q
z9Weo*IC+*R?N#;BQG9`Q?kC8PrjhSKbt&YioJ8XnnJ$kznBI*Ql%Xvp;wQ+izMpq3
z*0n$K9tInNJ=yPs*s}s)$X|D<sCC?_CyZI-Htr-+FWA7v4B37C@cJpmg6uW9*P)#s
z1BeErVdc?F5v<x#4L84XP?II+ufh<|yebYn+2V#7hWJ&h=ty?b5aNxga6I7~v@v<4
z_Tn#eQ*OQ3!C<--xHyF`1xv{g)jZ<c?v0c#!w5SxE)%jH_;W7Ym6}OYVvUOrk@!-|
z<n#okLrwSWzl=F3<?YyB!EEGK+4r4F{q=HWLyx<1C7GQ>vjK)Rc%t;DTjGmBY+*`&
zh*<w9ZpGdX!h@g4-AgNA8seNpex`?z_k3l;QKAts?h^*PT_`azv&^Yjr)fsf6eHgH
zY7rRWFVGjwA?L7&#n4&Z;WgNZs!@YjW;Ht0XL2PbixTWcl{}eP?~o8%@JqTd%DNyY
z1#%r=n>cxyh!t4qejCjd+<vS7F3*2ZRe^Z#$I>j4e`rU#W#5hlSMm6CGL$stY{?;7
zk)|Ooky|fWEuOO{f8$q&z4GSXZx~lFVjpWYXu*!`1k%+sY(3u5yKuQBHOIu+q#pk0
z*w2GqfOcY`Hud3GE)UmO-RCK=-cz$ohEM*KbC*>dZsrtGA)w<UGs8{O5HInwf-_0D
zq|IX>ewHzIoliR<_x%fn*dLu*!f8~_fukp5FZ#Prrpx22<i>eg5O8~Cgb5^G`IT2X
zq#QGpqaluK@f&<!BUW^T$Cgk?(P(ub)kD{mR^nOMFs)6z;!R?U*o|2+ldzUeo(ib!
zD1<Ru>?-SN*8JLDy=QUjZ~()P$Gq3MWkX&REo5r^&M1g}BPpK_tNMZrW+>uUAAcV}
ze4<a;O7bhCby*X{wV-M687z@gq1CCPxOneGI$OvQA_L4ZIRU&G$`#*hzNGxAf?%gJ
zYZCLroR#Loq};UO&4{-(7PS=rbTg%R>Zm^}3-`~NsAqZoPdrVUOCTic^Ep2+=2k7v
zOOo8H*FJAgcfRQ3W}U@d_m0;a7~O;9q1<JeC)`U>Sys^*D`_F7H<gI8SeZU<_DNhK
zEx1zW6i}f$moZSC*~19q>pBkr5Bi8_xdp|*S?+JuG+l4G?K$e4mgPqnXp2GkJeosA
z_2yn{?4l=C7m<4124%Yt4e`5lb3#@^HdJ$i0FKkELgr0Tvvh_-03E|tcMN3@;lkMJ
zIY@xN`Y%=SKhEX9s^<S(prhkHC~_Sr{Ay(K@f`6Z<@P5(!-8`9cJZ2L9*Cvwd>{$^
zS$m~fkx+|r7GfKnP`=vl6iN4DU08Fl>h3P0@N%MN?QJlSf0wBfa}dk+fPB>6*=>$Q
zD+-o3G{~~G=@xcwJ3-@%^hd8%!-5OZTdfo_)dLa>8H(Y|)a8&Q*A^Ip!tt0Meo0?}
zJehE^k0;hWV#Jx`3A6mqg=t@;zU!pv3Tr6l>N!^L@{0ZF;5-ZM^N4+gHTd$$pO^=c
zG?-LPrnOzDDi&KBoe5XpA&(4utj?Je&;)Fc!x=pb=EB$0Jy<v79%Om6ubD6SmV~f1
zM?)V4G`Z{_79*n#gUE*n1K?VBG_J$nj&nv!r{t~rYfqyhCNoU@yma&nlo#AJkC0^+
zij31*5ec;VVqM3(o-cy(r?el!JZGu(>||Zx@To#)FG8C_=>*!6@P{lC#2mA^Zh3C*
zf&g>k%V4H&^`CGQtCG_A8!B#=!vh|c%*4u58uz3FFVKT=_-HPCiJO2-MVpQYRvQ2$
zT)`~#!UO(l0*)4&;0f52zZca1dARxOPwK&bJ36&oCV+<@4?4+~xB0X4TxtdA@g{%6
z!H7;cX93fm!W|Jf>ct-el)*=~Zn1sh^@>N}C-8QuyHB-7UHH!Wed5*~3-;{>T(Y?P
zP1V2Q+&8xH0+ZN{V8{J1<Tv_S>ob}LE+tH05%On3wXA}r*#zHn<+F=b9jH8`#$Rc4
zw)Z4YsNC2EZA0OYD>{+4lj@<ctwKqA)$1WJQ=osyu&9+f_s9NDt>@&;b4>3$UQmON
zt+=*Za<gX^7yuG9mar;}Ng}(A>r>_BbDQuf${!OAO-E~A=L>wjoANxDIQHuVmOu4Y
zTaa0S+5DSTnB(>~Qn-cf_GnP*9`rprIj`Z!+WIs8=))_`?4FY}U23cjSzL47&kTp&
z70`;<Bzb&E4;)8zo@ui4t#3{#fI!^*dQHs&+*02l%zGY}_jFT<WyYMA!mG^EXUvoH
zaG=^*e}3oudvDtnR!^4yUC1U}fd^L>#&1w668#n}{Vo~8Z5(_?4Xy(&$2lJBOV(5-
zXc(DIEXK6R^QBeb%hnuP&Tvkp76F<T6VL^$K*uaBRtj2xY7jeiY+MAQ5%s7@COV!b
z>zgNyBK2K(wh=HtLHXy;o-LXasY`!k>6%oksC~xA{ExSEdz*-2SiWAgP^z_@tf`y;
zoV!l=bRkIZ&d#UP4o!A9S4+Wj-r^qnw(|$G@f*CUWmV!}tF45eJ=KJ)_x4-HmEq=9
z(BX?6j<FncRft*A%g{jHHk<siVP*Qe;sq!@E;JTR0UPdAo&^r5Ea1>FbgU5?A=6By
zkROyQvUX@b%?j*)W!K4>ERSV`lNo@*L7rd!vJr@g_H+Xeo+~o*r7JHUXAPn#hKsKR
zx7nvK`&Gy^9^u>ty-Td5K%Kg(^OQtQ!9cZ}LzY*a>o>5Z?yWvL&~0t@q+MKNI{Ac?
z#bVn~nBZ|QXMO(#@$Skr%1SiIhdF>P(7^LcO=M2xM*J#LXpWtBdhD8$Dceq<#OA$8
z%38TmAiks&C^iSip8iB?G!k)RFG8M_@3?>8-8)GR$wW?~`%34N9fy1cyIt?zq2r#f
zZZ(m<Xe4>zHeCi~?5!zHH*D#Q)MgpZy5nO@+L1K2E9YpAKZ|D(zlrIH$&R>iDfrsw
zs-szP!c?vP`*N5(Ql~f|L;6HVAPCB(vw_}MY>tb`V`vpta#-I*QmRv51>70r7#bE~
z<v9WLaFwDh<VdnRnMIhxFL+cKy3EXHLoWSN+h-SfwdE&Qpvx8JoZl1;)m!Jnlj)#+
z*T~0-&-sA0<81W4#<i|fsfe{uOO>7w-{GWWby}mN%}miO*kzL2YrmYH+SsM#ZO#^?
zOJEVQ931n4d+y<-(|_h@1Y(%+uE`hAN#N2DYZZCg0uFGZ;13ICg)QOY=-H>_?rG}=
zH)v>oE=^RIJKvzC3p0og7`&)(=JCl3;`AXJt>pSlp67bxaXV7t)<iR{LgZGEC<YQ1
z)x%E7^R3=JPgtwVH&;#5PEPx=*H=(ExnGENs=9qng-ATw$tf;<BlBG)=YpQNgLm7R
zDQ63l2#34DuHAC!PO7=97B_ON2JEx7>!J8gIO-o6cT=qEMK+&-KGnl1Ph_Va=KI0>
z<}P7YFx`5EQLojJ{xLYGd<8arDQ=ki<D{jnald6ej0|0k5H6$Tq~XL62hU-VqF-_$
zF+N_WQVg<TtuEvF5Bq9G;0eIg!MQUko)4lbn1|0w*D=5R_*yitYW`fE`mF~W`YDDR
zQY=|j;pR!kQ5+eAvbY`QoV;C4T9i|?{J9&5H+n@;!VTnZ`U%;s*ffno(&X3cT-w<q
z#hkHHgB`qQT3=DW|6`%tgtSBbS$x<(s#9#Gq!P=#)nsfse)b_*7rB{^h<h7&(s~)W
zlaw%qEc0VqIfeV@=~UAN#6QCLuWvo2mY@1eDRlH3%z5Qv4;T?6lJDE<fUl4<yXVIw
zj@3-wCVe|Qx;yFr{FkRiJ&NSls@a*Ky#`HKdz7UF;QZa^u%eqGYfMXXFDIUj5{Q>U
z6w+&FY)3e_48}OcGXuQ2A_Jd4QuuZ94S{sQxfKIXpn8%-QpLi})_N(ftaMhFs6MH1
zkTwZ-j9b?MkNNplR?kZcKXVhq_;!b$Xe!6rtw|0gV#G}OQF@2&HgnsF#>8)Wrc)Qe
z1(Y~r*hbvC2=8*q;@k4chhlFt$6HMzG+o74guFyH;suGi`{51J<x=0wGOGJ^{cgy&
zJ9Wj+Z@qi`98476pG`gDCOVG)oCe=>k*g6o+r5N^?q{B>3^Km&*!_O+++vk`o~e&x
zZxoB8L10ntGk*)2<h~!zc(05fjgcA3{=lo-Se-u3w?`0C6_wKJ0K`Pj#cQOpd|CU2
zW@t=6ex!Gg{+etjJ9Cdhq#37WX&FSk;%80<F11HqrYeY#Tknjd>2cZ_4O?S0t&eNu
zc&nq|wM@~jab2T<tDf6{=+sNO^~Y$OXb8S@>Ym1G^BylzH#dp%v8<=UQ6_Gzm@YCE
zN{dezL&Zw7w%GU^1?$GwSU7*^Ga6wom59$>=$<sE0Z)K*)KBStqIn5k%MN0JpQB_p
z<TPLTjBCTq6O?2hWbCjLTWF6vaV~MYX)rd0ZbNTgh$5CF4;u8JaP#`B`!dQ0E`jSa
z%$FqPRC{37Rn`#ZKnBC7>UWZKE@IQ!TF#xVQzuw|)#uUv$)7=O)>ZaM%PKvCRL4&n
zCx>QBR&U{!)h{m!TLw<dMIGOIcG^$wOJUo(tVKsm|FXS1N>Du@a1<|Oor&y-+o>h*
zNiiJa3-z>^dC{14vK>xurw0zQ@g2@gFKgvrPm-{+UzD*=S@5`3@Qc)bZ0-Vs{b=^)
z6*Iinr?O8W*YLR6ZT5WTIpz1B?l_f`BH!tR{I||ql?>gFH@w?eoMX47t=3T`8NP3F
zgo}jg$;jz|)i@8&a~0(N*eLc(v^S=sh+^B;9~XKlXKHx*(D7}3pMQd3-TLLOaa5;?
znl#p!ONLXAQ<#-_*&l9o$A*3jR~U`+L=^kfW4HG1BKhJ;MM1SgWZPV0N9r!;bx%L@
z2Yw#6N}7850kS=XfBTu++g$QclK&BA{cqJd)s2WX-RGu+cmBe=S-Vd5jGH+xFllSZ
zJ{hom_BY@iEs)MqXxRBrfL;4v!SH|k!3dWR5;xqK>$GX`!8siH4e5X(5=$?mu-f#3
z5Km;U$Y}3}hJ9k?V=BO^GY%m3;=9R*mabzKIhDYE4<RJ<JD`d}V>fhlK?%`$80Q4&
zu?w(Ho}Lv}r<p)Bx8wpH0Hl1#1)VwM1?b!$7YAwmuyr5+JOn&oL5}{04#NiK$G&lz
zgu)Js*88E478QSpa?2+F4koih_!+R~a0IuHqZz3e>vjyQ(OLNo8YtUxXew`3(Vz*0
zD*$x4zRy;3gh2+;6K10(FUpMcz(KkV*8MRwL9PNAy-F0Gpq3;$C<XCWD@b19yetLK
zT4wSAg2m7*8L&-ug3fCo<(@WDG?$}n01uiB*VRcI82;;o3Y_2PNFagvID+zSOBbo?
zK*}}3ov|Q9V`e#jL8%>=RJ5V15!!J^7HT<y=O@w2py`9q_<UeTZI(xh5bE!Y3U)N;
za1StUisKdllw>!gokbRM8<Z%v2H`)$$q&E2&TjGR>Vm3$98L~v0c9wj5)l@<oCH6t
zI}D9jg-B$B73e&Qry4d<5Oi=WD$PGR8~}#dF9iahEet@0D9_6}))WR9xsU;_kP&3Z
z+#dfLXJ4MXxZ{j)B4t~?IIvgD3j*PN?gS;5IGu0b^D4_C3xT=mXdt2ubS?!>7rUmR
z(4Rrs+3>Pl+=d3f0*H!!1ZV$TovI(I#C#dfPeiJs36x)Upvhl8Vo0Ro>bc(tVBM_C
zn8i75<4*0%?r3WH1QfS6gjtKwiM(^X=4kprNu~fzOU&16fT!^d2C`#eP{f%}fH4rs
zTg*vyC{oFuw(ST+x*k(+PBzYhLlhW5^6x1rU^(eR2E$m626xo2_ExnffiUZE;?YWr
zCbZ7$hwI=d8gKvZ$1~DD&|fZ~f?3;CBTf=5Z2~4RscMy^z^MR6H*7r>+vs4MKxc6M
zVw@4_o?82aBeaQC)I4|MSgJ;7CLn&soG_3~kt-2?&G+4gA)&OA-eO)9r>}P6AwYuT
zX!7=*avN(x+^z<=n?F}WEsvDQ0Ge&VXeB`J^hG{y{tVC3PGDMxU-F+@`FG+oT%qZx
zg11aS)2Y}2&0eot4?{ggZeDRPR|qFLbF6p<G13BGqg@I!Jk{JY1H@UvzGA20Fxhc)
zAd1Qhk)@{zDZi5zWoK&PrCt`XzbtmtlueVjc1S@#Ls0vo�{FghoUnh()?Y1mZ2o
zw-Mnq<Ow+|!DK+fb@(9KrlT3rXor)e;1#{4bp-e&GXVxfXE|GW{QPPnz(=EJ_qcb%
z4IU+#2q5j>*7&s}PMNZP8Q)ZuDZxRh=c6Y~OM@SKarNle0HJhk1Zc83G(=!J?`t!^
zpy@MeeYY9qnU^Gle)p)qR03#XeZr7HK<VWtz}-{)P;avW#EqJ%e(?tU`E&8%>=rFi
z6~<1LRK*^{^>Gc^jfis2WN#NvB2M;~7I9`mkLhyPXWP*vsvCr60h}~7EL~}^A$?^<
z_{qlQb1=JVYX#MISr0<6C4uH>?h&b|0AC?UfJb^LRFWWZR7^LlmCrOFZpq*&Rf!nL
z<w}3cpcb@uI!$Aj-P}iR9cAbfQwE>v9@fDs(h3kQUoc$2IesFm=Tg2dVy;j=$#$A=
zUkK5_t{E4zz&ZIq(z5tV*j|ajr)I)WD^!6d=*z#zX$@Ui9weZ&pZDL?=M=qL?c)4C
zN4<QManb;~ffCF~Q#mwKK?Of{u;|e@AVBO;-dffoJQDr+6wK-0ngM`sFnU}p;YI9Y
zmc^@vE#Q~7O!;zKRaq^FU$U3n<5cASIa>on`QTyig=#80(_NjfZK|{a_o8u3^W*Yo
z@1hzEk&mAvRX6-xXa4lu;cIT*6OhN_&N5ywYiDvTJ>XQ}F25qXwRB~y=w68H{ip0*
zw0L}RTtC)4O}UM(-h?IQa!92z$5l409W8X_U~y`|khYy8*@`H<%@xqcmr5I}GI(M!
z3eO{X$FDG_ZFZa4U1J0OxSd5+82A-+S@XCi=ZwJtrxF|MpZ3FDgF=dvL&#rB+OxPJ
zvdq)HTdUsgQY3zBq&hJnk+S~95w^DWW`3!AZKr!gVzI66#LLdXjnnwbNw?qm15ZtM
zcoHigExF)%<#$65BMT77Lh}DVz+@SkYw$i+!<?~1`L184aMFk<ritPJ#HTphe7q9+
z^$FOsdoGdwF?yh^Hml7r-9urP1COAn^=;7_qC5fPN)W&>CS#+_Auer!`-3)%$xrZf
z9UjFoInb=~Nb9ZM$ms#K&mb~(9)kX!N`kyyS)mUB^67moaNUdR-WjGO>e+9hTQ<=4
zi%dOu#$BxBc_*|HhGW60yHdAjBLbPlNhWNTp7gonC(C?+@Zi*e19ihi6lK$+2?o`O
zh?2hH@P%C7S;7X~wl9DWc*v+{{eV7o?EZT-k^CPMI-+RUABx&TOLj*?F1`2;!}N0O
zb(~a(m*OUW>JNU~GTw0bT0CLi6|KTh1_O2~puN6jUpP+wD!2F-B8X?d!l5R7LVh%D
zqFL5~t5I_c>Q|f8f#*(2eCrl@4vHU00l_^=(hDjz?M~eN=|*2`<7^nev2_5OZJ{QU
zLMDn=Drx%y=}C^=+$ACY=!P%c{R6{?ittF8AMM*$Zvh`xb`XNcmp~b2`o7^Uz|l64
zkEPP&Gq?r8k5vH0y+7o$fQ5I3QG+h9Y*ex~$qU9a#d$Zbocj*qQ<Wy#UPf^z^L*Fy
z07=-2fUiU)JOY&u8%NXe34D+cfC)OKEg2R4=%c2RVK9y4nOP5PDi3z$a_VV277-JO
z7)6jAnD~n318=qhutrgz%#W3c&jo<{?=C-zb=U#utrF75deM+(6m_)%jGF^&NO9lB
z%5uGc1k`be`N-Yh6}bxhc}gNcnJAQK`2bm<`{yQGBiJuVB3Vvo6&Z_kP1hHXSf>Cv
z6X}4_D%iU}qx*PG=Mb@1R*QAvzDFPX#!DLHhTm)8!%v~uR%(UnZ6NW^Dxb5cLa9rL
zDgGn#V?f>puEGv9#H#$wFW99y8DQ2(iKjn!Tt9$vp!X-3B$6Q(pwl_)w2Ei(g2XyU
zJ?CQ2QEhy{Z@;6tArdL<$#CX5tIPtSG%&ObzogWm7B)L%-Q|F|5_TfxYiiviNEGo7
ztX6ZP5x4xd0sYi+t1~m{eI`dm36o3|gJ`*w&O9EZKGqBqRwfW}(3A%=3?Wn0#f6cz
zVI4r+_Yh8&J5;7>@qPe@WB^W!yGx>M!XKH+3<RZ@Rd1DRCy-^&UxGS<(jmk&gO`;S
z5<L=jKF~Lt(^yo&`N)yX7W<+lBD*e=070Lu@;NbKH)Cr!&AzC9@I&+Rl#f}}thcQI
zk>`Y@2EY5YNS9~>OrG^g98EacT{x@%1(S7ls-*ZsBP1=2inAmwT7Y1)_O@u(od-Gz
zE$2e>mXhA~EGEWmqOL+q_@B=LZ%pVdBM#vardee9!urce8Fxg??V!kO->a<t*iERf
z$A<cVxMu(41TqBidhl_pG$~(A-?=>OX+}q#Y>^f^iI{P4?MGCSHbE7b&~rbHd)FZ}
zZ{0ZNc-Bh}6XKl%SY~*)#kN8H{PH~0Zc2>MB|=SA&$Mg@MM0*Qr=R)(W?KoscoPyx
zT%!$T|Mm#x!6-6hnY0A<(Kkgtmrav3d)d=$h0DYuj?1I_uCx%9mP~ML4X>Rc7<*@J
z8Tu9`#Xs@Cu5Eo8H@tAGn~b*6wDbX_%PIBAE}aewAw;t}VoalyJ0apHPe4wbSG?1F
z1^{X7dlU=6{k?h6N&He>W*qw^Wt<XuU|PKx^(>>`SQ&E#IuS1s^UccTBwwFk4P?YZ
zN+-iazGR0MKJvMi&qb<?_2i_=o{?JW;VZsF+&bsa!edH(W`)W`ZBfpojvO<DUmQ)+
zF=P`R>1m<!W{XbABbsW<u8~A!eEJSJwh)uB*S~yHfO&?P0#|WH$t!)Q5dSTN2F7&F
zpr}BwpCeAAWG+EVlT$iEXlheaRh;HbE_a9AaPgfeemqWIq)>=C-UYC_r=dL*k+o5l
zFkRzjaE*^4mhB236rLy630MbSpGcQ|W^gQ!G$L?twL-qv{CY(JLpnuY-$1$tRC|%2
zQd4<8)ZwZxs!ZZEWY~xkQmPK(6yZ=a>omvb7o^j%tpYk)jpzJGiBriH-UA$WRjFVn
zngP>=r>tvb)!^DBiRofxDl05e$O(&Y0pfqdc!DPC!lh!#3o3ObXF2?y?|ohN=!&FC
z@yu++42h}4hZ|(SsA7y{_d@q*%*L4Yc1qx!O0!m3|K-4;3yS3Zemhx4%%%}K95j92
z#!tyqPRoC3Xe)WjTG><*!7h#2NOpSq!nbu5s7OB1$Sn!acJAWS7ckuq)VgW?)=ii0
z7I=1V=W)BAq{uc<9o`|(BnCx}-GNO3>dvf>k$w{a;4%rrPazjgwjAmPFiXBbr`EZx
zq87r)4w7Wmt$N<~vJ!zA(HDNF0Bxylc+GO_dXeB$y7Ytw3e#8>{=H%#XK!dqg3L!x
z$(GLF-0=Q72TMqbVJRyO5b}?*%C_X91xU&yOJts@iw%&!Cs(;&nfJK0a643;Ykl}@
za5`(Y<7@M-RmcbdiY<s(iQs9QUzcOACjBspnpkq;Mm3S<6lxs~+w%W6X`3pcmeq#V
z-<>->TRhdvygI4BdAE$ZMvT4l|9#6&;Q+i@HAF;Ig2=WdklzvJrdG@}2Ua6JYAqDY
zHc;`0tG{l6#Fd3ZeF-o~)!+&1MLOEUFbMTr=WNw@EQD_oxPmIBCGfngUcbbuWI5<`
zs-ec{y$jh4Xi6}ee8Z)Z`?|Gl6-sXxz}(AGXQ~H7>`?v?Ry+8~VmZ*+=y+Ubg)*w_
zuu0&=xvgjKUkyFr1RNdnhv^0okdJYL!L{Q^DFaf1*rYw^@T$;}gJ=fWjOrYd#hr^C
z56_9oOhq!VCQFoqo~9ajg5e2J2(18y=K@XZi_ZpuOnNZUCd#7`WNb#MP&w5MISzsS
z1D`wPzZ(9}pg=&D42INOf}CayHWlee!UyxXz5p1l3oOh8?0i-S+hdlO%9{u;=<KU>
zB0_>N_|bJ|E@5xZE1sf{K(e+zlQFZ4GKXTapbit0=7v|Q<*;X@7^r{rs2t3>)u8`>
zk5c-E`TAR7nJ+^4t6Ji7AGCe*pguac7z&2l;;taL7s~nuQX)GzZo?Ubt>XMq0Nzi?
zD;=ubJsfGZT-ZDgeV0l7V>(jPYK_y<zrL^`zo6o66Ehe)#`}WY2`kT`mSC(r0*9J4
zA>F^W;-CL+#f`eA;rC+!0+IPt>1d`hHHL*jSPqaZStUiOp$9%Ag+w7jE|dL9ukE|q
z8EE#R@w=1rk$cZ&IE`81h^a$KEZ}ua?BxKt>MN<kBA#gjm24D0K))8p|FO#1GO_oN
zpoByHRH}`D8j`dBP61eB98iOA-jG!YXGZ&}tkcQBrWU}g(iKo|6{~j~w#llD`oul4
zdVrPK7xsFl+4&&@Pd0aYoZq2bAUYDd-%*De@Sl9B1rW%kMi?yO0lg2>d4+8!$I;|s
zVMiM6t{udX*ns}n8BO&ei$CKr<+Xj2kZl#zW;a#3K^pXCh!5V)tV1R|Itc2DUh$D0
zZa*Ylbg@eJr!Mw7+e3<4(N6m<dTWp{H=a6}1!WWe)uw*>!uBAki<qq@Kfr#4IQgVJ
zwp5$U`jRY4Xd%bd#?EEEaPjGAh8r~@yHEUcH@Yc!OO^m2s8crR835Rv1(o3HO-L=a
zjdJwjH9MP7NmydDJA%9yP{G^<yYP8`0c}e7Ea`I*i$GCeQC$K3y)xr}d*2#2iczT*
zo1Y#s;BNYsWKTiEX&TAsP!}nsu>2WS7|xOLYT^*Ue#q;BjpupKLSatO{5>GDi+ZgF
z(#@_-0x@daj`40!VNaO{p_|EaqK7o-HM93oM6b=-bmKeXu-TR<kNriN1C;z@7kcV!
zG`DHFn?8YnHYfRib))h8DX2^x%_9*IS}v=Cd2&|qV@UtGSE<2?DrA9&C#M81aPlKq
zk&BH}xTnS$=69PG*2o1neVLUVAHi1;FPe+^#w*%rb$xiJ=wKN}Rr9xo(7lGB>rP_f
z%U~cLN0se13^X?{c{)y+<qEQ37X*^EKJ)ms|I<#oTiED0=yk6w9qJd^{pg}R6>z@j
zq=K$%>x39cd@uZNr%wu`%hW4mdD{1gS|__zOF}x!)R#oKu=X}*AaGp(aNLPuH}Z*G
zFi4FIG;z-|1nSZOCa2tIOlqi0ft`bu^qrI(Gd5Ppn^P2XO5Bu6^Bv(jIP0rW_Z+Q;
z_PuZfj*zn(fQqd=oRg=gVjZNonj-({g!rFGDFv0GI(J0Df{q%Psbx^X9d4FrpM%*u
z=AIR&VZdt^1D~NE(%Sc=s;a%V@O*%qbRV1d1K7fMJ3`cJ>VkIDmmO(?57?3d!DH8!
z^yJ~!%)B}{Ef&n4Za4v++Zy;S`D?U0<0cBlwSfUaPsyI*DO8qfwnjHQJav5C_;>?e
zwFlO8VK3IF-gTUL){+x*Y$)`{f|zJ!+iM~3dAZ`YoT4r&O;`BLp^>2C<hBjmg#FhM
z;J_NhE@0)^14;RAl+V6{!>AIXZQC0^W@oRzCJ~0sU3n_hA0-+mJ9Kf`K-CjQ#!huU
zx2zFG(=*{q&nr21NhZG@%f9$IG+Xuc*sFwv+kEqdH|+c5)TS<601~}SET#@5vr)X!
zBx8a}j4vW#3S$duwooRiQj?ntXoc@WIlBA^b(Q>AKQKX8dEGn&G|+L%DU&e1!75V(
zVLAs0zuJQ{(^`-oiaZg^LX@{q-oxLmGXfCm9ExUe1r2lsV17CyaE94@LPO%V9>EYG
zVJx(lY{!ry0@$f<>;?_yd*GCsh&M}Fx~1=KvW<>nr1XGgmo?;0aDGLTi8fhIR3B6_
z*J#;%VIk-Lygm;xhu;xqyL8e4j<h@ar)hCm*I_HEhTk^%$E@?2RzpZTbdDD5A@T5{
z^W6LLg9dlk6Py_dJ|UpQ0%ys$JR`Z-|8I?DXa^d}_vaDpUt6jxcZo3@O^$7JW+Qoh
zNW&v>7R09M{4C8@6JQejj?xv+a;y9@=3>a=P?3neM56Lh8akg{mr3}{tFd=oFhrRX
z9so2`WJL+yMPL}zCJzo+(6Gg3Qi%#s3~|I`Iw?{CAE*Lc9#hu@BJ;0R&fgXuZY?ie
z7hifgSM@8S%G#D13f$MPEq2i?PlTvNG2(ae%z&2d6;;YA2J`hc%q4ABIYh>-eQ$@Q
z#qG>Ramg9WLg{#djh~<t;edz?^us{xgC1}J%c3Nb?I3JW`;>e8t@0=S?`lQ_f?B9g
z&6*AQdc)N?aB!zk05fsjLOQMrnRrxv`1pgG{MITEH==Dx%x3s<2?&Zrr!bv2C*>0!
z;*g-8QTEC|dPdF<#}w#mDR5Bm#~vtNChl0~n;eux%ZmpXjLKbRYk|sYTbXHFuKzqc
zbYfYga9s2c%g#uugF*d!ZPW7+EyoX<ilhIrYg86ZUi{Bp<G^l~ucXa*#o4@zTvtEq
zb~)%gc%bF&a{zs>ja`f*%J6(M^n4Z5`r#6uy3UXr6qJb@lv=1c<i9Ft4b5Q^F@taq
z4}_`Nz}c(PWUfIsItqM%b#$yItGFeBiUJ-EPP6&Tz)?JLX{SSRzX7PLQY7G*$+uVF
zErS>kdUG-+aX-A|?6D)PK80H<RL~q=vHWLqxa0LN&0(RU|6unCN{*JCO7GvlFk^w4
zaZdU*K7EliSw5rbz#2%C76>Wd6fQ=$HBZ;9&HuVYa+N%(SPK+bB2~KX5m}^tNP~@n
zj^ov3e6Ktl(tIXy+Mko-(tZ$s3Auecm!&w(`Az?hNa=_ytIM%2nbCiDJ!6?K3j>L4
zDrWFLy}6lde1Kn~h(_pS(VfK$YZ}~_TQ?xnhv^6BW17*3Qbc}042Wr`P}WNg@0d5=
zd9LueKlhhgoqv687l$ei@a_*A@%(Gh8S4C627z&>P>N@NmsUMYk~PrIh#TCP$7xLx
z4ji@R<dBy8Km};WxxYKb!Dj~1|L7Eh`k{nP+E={qS0do_1rRv@xkpN4S}z4Rl4-)U
zaFa`QDvq#yhn}^pw`!fD&am@Ts>V8&j(dHYQVu^rogg!g6|-^X>}}7kP;L|4EFNLu
zX$gZA?s@V?Mwj6)ANZnZBj+(Gd3%Nq^H*cdOgdd-d;NGF?j?Jv!(I?&dqqq|+>C3J
zujhx>3;E)g>aoQ*n9rfyb6uMefA!Q~oF2{-U@@fi+&#_26y1Gs7TbR}i*tWBi&~uZ
z${)7^=7JrEYdYl8w>LhN?q7~m;I8fd>5UeG_sN4Drigkz%q-g#H8|q05L*4!BSw=F
ziJ>0xQ0@O7+*Aaay=d5(vkj)LMLJeTmZH*t>pi&mtf_rnNUw6;{)PNL*)5U7%gKhj
z6asQWkJ)>;wT(<oAWh{}#%1vOcs-w_ARKIIJbzu9R;txp{vsGO{wQ01_vbXDf8cKV
zh&t6FjWv4)GW{)5x&LYuW2X)qMQZwQ9w!Dh(DeyLq)~*Ph*?a?6wG6ww-gr{-loV%
zKl7iQQT$v=MYoNi%vM9q5{86I&RD@ZfIK7GSSzCV*9I^ZT0UGef`OsH9R`dMvtA)4
z4arsE_{Wb;IQmaR)&HTU_<)N@uxcPM$B|0@;1W=$huwu)j1276IY{2N>;*COq$qr-
z9Hi{+IVV`($Qu1WtzCIE)O*-36{5y63Ne<1isVZ6B+I0fY>7+Z3K0s^WOrj^$<l&k
zXH;?}(TLpa+4rRyQQ4a?ma>lJeZJHCo^#K6-}9dPp7Z+8an6{T-|zQ*p6By?7H8?N
zKpOS}tH5{$bg}(l>Nkkdn9)*(WAok9?T~MWw#mM>z`dljLzSW<x+mhC)jw5a&o3F`
zKqFQO7z%X5z@wyTZO@7k{sy{zdxO8U{|1+5I&{oLWPr1VgkQ1&LcxD=3`KaV0`j$F
z^mY!q;gYk;13f73ARi2FX6=ld6>k%VVDKZriIE6x=v3a@M9>B>w}*DfJiZJX(jkLL
z{FLrmm%yj(2=l*p3#PLV2&Tk)K7@UavRj{`GT0(8jytvpKuKUweb^aj+`!`>g3bOS
zgqW0o)S~$!44r5cj-V$YkhU%kvvse;b3zmvqM_$F%p_x4I;Hjoz+&4SqHi6W;tU&5
zn>`5Udg{A7k5WJy^k}H-^);KDaE_Ov8i$B~EqeiNFLXynHL&WXBXS%D{}Q!$3uiS9
zS|QY6QvG?i4%;2fP7k)OVz2SGPRorsV0>9PeFM1pIxN!&z%(y`!E#`zTLJmYm!clw
z7;GsM>H!#jiZYV>p#oncGeqX5ftvfOO~9uRYFJWp6vQGND6z6*c9)>JlDYQx5r3$u
z`8E}S%!CYNi(=(Q>7BF$fYA%Eu4trb=trA&RxXiAv|(CA>INv^EdaMR=S#O=@}Jd{
z;X=Uyk2#|tbpXGh1G~;C*n4Yy0DEzRllMd^*z?d1`An9I_k^JRchk+Y#_E~GEF~s4
zV4Kz^Q8Y<+T3*QvJ&4l@SMX$wx(!o)k(96#2oOeu)z~1^qCip#x&vR{v{(crt64#h
z>Cao&m4vLan6cG;S6@&HkP+xO@Y)=d-k|K{<QW|?L@)y?Lw->V7j9od6<U48uj+^?
zG8U(=rM~hEHXMQ7=^i$#u)Bs_(>QImY`~S{tC?H`xJBQ<{&1fi`wFZ^8r0%jlb!fO
zG^SzYa}#Wv%pYG@D~{XQ4u|?A>h-J)`LtK=i$+~?3N<DUQQ!J4?u#na6&S7b0y*9r
zpz<E4`5R-<E@q;Gr5$b4FG4a|9=RN`8^NH-?7JCek79$G7a?3Hu~Y?|ms|<nfY#&@
z&a84#uv9TQP=VZJs-OV)AF9zK6Sb#w-R>T%59Q8^m;<aNNh{+BZ%sq;IDjm#c`6IK
zw?t(qRM*XV{%JhOjh9;!3G)oTH<NJ4s;-I-!i1b2@t*)cVCaAo<np}-#u#=%Ty{3o
zOaEjh!aZX~L)z+K^bldQ8mEDsz2SQI@?)$(O}Hv~VO}q>KKp7vO`;{1w_cuQ9X?)t
z)n2VBUH1~iE>Xf(ozb~5{or<AL{}DZ$cBj}Y=&eMU2HLd+u~#eT#}?s_M~aJjs$4D
zDBEk{Rvt(YC}2%?;FxT+i(qLM67ZQfIAKBefYsBZyLQf;@{uI~@+Hm;UJCr7K=z5c
zTkO)?w1!fD?UGAcU|+8Ey?(iNb0$e_QT|}Vw|xaYLol5d4-?7-j{YS3uL~Gl;hqeP
zQ<td?!<=3fkv*K%ZHyIgmOd*O&s7RfNPp1!4^b=Lo|pC~Iqemb9CYCl0@*>Ld1M#v
zNY{0sJ17OWG+g;DRm8R@c|t&P0LFRQD1uWXM|%)LEKT)37e<ARs?}ok{hBt-=3vmy
z9(XD-@dxl(0Vf~ueCfMwe62|~Rqvh<1xu4R_3Sz&O%1SM2_MqKNnNUShG64aNxe+s
zP*6_lei&Cs++aMLWN{^wT&)!*-Mn&DO=XgQ#v00gRcDi!>#}#3l5<g=#y;WAJ03b0
zxc9#}yjZYf%dLwSs~MwyvEQ}AVhyDX0zN(+v~#Wp39MiWtslD9tLb+E_IuGJ!lo8U
zF#BuEa&uZRw^|LMxEjMhu`;~GGmgZbCKl|tHviN%VErg8w}#7&O3UhKNp~_O9QD}4
zAGWv87c7eJTyWEX7SE$V|HPE;c_ZQF+6=8Y77BJlX9}z{kisy_)$Y*ot1C4zu{r9A
zdbY<;_Z9vo-n5N^oj0&|m1gpn_FuJ#F|(34Y2&T(FAyFB=EQ5BwI_I$H?q2_WMbC(
zm8dBYXu-67cK3n{jQ*NEhKfvdiV3X#Q(FALR6-^u`%5OQ`}{fpgUJ`>L6%n=hHy=j
zRLg|>h-!mmW$qBb9mzF13h}IMv>h)6avA>ONxUx7xr_eBWz4e2T8Gw9h+;4Dbr9fD
zB3eTFl!c*r79B=o54SM)=yugxl|g^S2m+>0X<Mp#+0pkFHS0kjx1j@X=q4zK3pWy9
zp&*#ESGM2;{w}-*jQ0gmZ>bMa!m0{SxuSp`T6H!}LzOc8AQqaPO2qZ2cj$0YHfpDl
zY!}gz369R;>T2-3-hhaee2A^6ncQH~sY<@GaE55ptgxQ}WZx&Mopki-7)(|B(0ac<
zjHItOrR!|0-ua4onRZ5{9rKf_pjl`Dl#~zQK<{TCLHIfHki};1fE1S801YT$H@aw>
z)uf!Oi@AYl<I-k$?raA3HKL_ML2gB`9I|aVr-plM3*A2vPJPEV3>5`3LH$Tsorbi*
zWcwIZ)Qb!wns+cwMpre1nB|z0dZq8zSIa8#h<zL?b1P{UP_ysmFqEk)0ebo=d<wp4
zx+4H_+DX$;;Jzfh+=SbXR|;C8NiV|j^J!jqy64#g9P(d5wso$2b0D|!K=3gV+V#U}
z?mnL8Q71?TaH+scu*wZQa-)CuMW)B7o>TXaBWX2SV}0m~n4Q^?MlEzOxKo4Fy#T6K
zjHr-1kbdhE!0i2iGu$UR4Z`aZVTQ^N5b^%HdE%=)Z#nGF`aIMEkm(ZxX^|nT-Eo@O
z@>_ig+OByF*HQK57ZZVzpA5zJ`GcAqMdvih0M28_MM0{Yrw$)<*j60%Fo7JsrWEX1
zA=JinR_=dA4*))x2jsvQ3a4~{%@LyHL0A@nRjzd8zKY5q63K=fd<pNS?!<WuK+L8d
z#3Fg}%IY5nUXel#FUlbwL&gZ%Xl1u=IroiQeG#jCxldiBla!d9WSk^am)H<jvjm<g
zMFA@2<ik+zXsF%)S*Ek9Dg#-84HVY5-Pja8wR>byA9kps@^@365vZ|6qvEcU4yv5m
zI2qkE)c3XYzkjlP;r)jq!?aPc<%I5@UC=s4BgCp7h;pC+V)5IgpAPMns-~HJ11COH
zZ?@n<$mm5hHo7IfFkF7#`tw4Wu~(0KwrTQc@k`T4n9k5WqG<84qYPL&W*jwfxnK0}
zEK^}^UXQANaazjGw{UM2eF9>)Tha7STDKc+O`G$O*{K|$O4y9~4a5I?8N>GEDwWXk
z#KBfap@Qn&TxXZZkI?*LRpsWjbe}Q7iImy5i1Rmg@qH1)unmQTNfCWCJ+?P`ZXk*_
z>m_>gJmS!*10j48_Z2SmO~eawJNSfL1W$s)cMGk|pYt=W*H~2O;bR6BKsM^Dn?mBC
z7S?uH9wf-sen`%LcYn7~*{vmTN$PedM=PDC+k9L5F?zWEHU{THyG6ClkZ5A8OmKR@
zH_}(<v0#BLf*f~FqCOC`{io(sY*rAheK%X1WbA$}*OK}__(%LIU@rcQG$;8659R0(
zKT@DLy!O$x4eu$o;Uh|qJ$fYX7FrsakAa7`&CK%Z;)fu>FwMCRY|*d>WYiM^;g1xx
z^-}pwB7Ytx^+o?=jLTfeAWGa^Psr-e9mokRGZy-F8R}wiLTrx&dqHn2v5d&$`>MAU
zydv42tX$$bxb-`8Dge(IMy%M=&U0I;s*`T+S>c|RkZ4|`_0L4Cxp<?UtB_<}yZ)I>
zhD5Ev3CzhaK;4rm5(yPsfz!7iPCKXF*%|;2JCDT}!Z*r&JN<s5HjRxSUvQZMdn?KM
zfbqz-4v_yRlI(FZ*&Pg>^3}(te>#6jQpuTwRmKf&kXbK6V7=#KE?bW%e<``RP{hnU
z1P=`{uY=KP7YL-Q7Udlu{Jcd!-<hDL+#X9hz)3KnjcApRcQ@LN;DU~%ArAn$f%MZS
zaeLP|Gl}HyYn<^i6rtrGulYvJr|>?AQ`Y&dG9^#+9l5h^gN=ON(vI2y7lLkX>9C8@
zeq~sX|KeqGyyALd>tm0_;LTNqAo?Y}&QZ3|BzftRx`DgsWLNtzhFh%Qk}pm2Q|07I
zbDouKOY_1fhXXClE$l+GLpED>#bT;~PUO0s>$+S=;{n~w#W4Tn3A?!Xn?Kq|0=$-W
z8n-p4&)rMVteoRb_%7eX^`d+wH+rxAUX^AB&rM--U$%s7QJf4u@{||;2XgOu@}M-~
z@u|ei3nPA-I8l7!qtF?N<`kPV%Z=Ixx+*LR6DF)jWG+}X1q7JnSU($RNUumUiL;^z
zjUo>YU9vqae+&a9a)ylSAsEMOMKq0Tc8}+tRU`H~2@<sKj{-D8>C>l#wqd|6<AU&I
zzBd~{`?aJUH#k=9WpSE^H|D!TrqPP;kfd0eHjO`aMk1wK_WZ5Ic3zWjYn-Ep<#|O-
zT&1P0mE!JL(`pJcxbbVt-W+egz%D6~;Q8lIPIZMPo7wAb8ZOq~mIq~7jAFW*Jgp7y
zWImzU;5gzZmI8)+FXUM7I=G15hQS0kMQ9_7NTyMQ9_u3VS2*i7axGeutT|p*C&*HJ
zN}(%trDAcfflDiHnYJrrBMIS#339(hRsg#D?&;-Vha=}SW=Vd4R1JU}(5SfCfn-z$
z?HpM2FuR=-zj@DmRna%=0HXi~UzS;*E%CFD6NBBDo-@!8-4~sU9-V)zkae*V4|nAW
zKorpJzm-;vdusbk#pOruNWMV5#Jc_4h}P;*rQ=Sat<4aietLnwz%ae@f|9n*`*B$4
z)wu)D`Z<Nbz4wXKyx|ny+4cp-ph<odN4INQ@uvvg0Gbyv2C2m*gIXhLn|Osde|?0-
z;k~k)>@%Q}X*<)!@;+MXOyXD89Rl2`mPZQSliuZcdnqQzy=)lyP;q>9re^E`89?fV
z^wx$!))`={y+JvGbpHDj>lWiEmDdVvIVO)M<fzmqm&}{L^2P}DB99AQ)ww~-wAg3E
zfFhKE;lyY#oFu-<6YHUUJ5`pxhP1jW)f?T_F4VM{!VfTgWcCOWKJrwT%I>#2anL$8
zwni_HH+0O|>sE-C@X-}R%-3Pkxo3?I&ksz>pGni8wro2>9#&U_4x7@Jth~7;>Re8x
zx95N;TXgw@E!p-T8)qlsKQB~yT>j|Mvf{6np&iHRqFmVf$$If{kGn04P!V;>wAy1D
zMMSQL6^O7|roSMP-I={m^bV4urov43tpk04m+bXOQ~@hoY;~e*D%9=e?2PVUd+jfc
zgCAjoeKj47R4TU~lOV&f{~S?(-OTuGB$iq;x@(ln<st=pC!rm=7;<js89JaMk?~5K
z#(xN$W4l!{bSI=uaLgBGpZO7$$R?mXxsmpq`<WPh5o&jc`bfnFinNy)Sn{78`!nJy
zV2zVYNIwd+r9DSHnt#wnLdQIcG;G3G#BAQ0mKm3P9xDsVB-XU6yoK$t<4!rL<{x?k
zOt$MDL5Tb_5{|13mrVEP`+Y9BrWTL_X^b4l)*#Kn^mcpygaB?8-IkN(jH0m(q;?I#
zDuEaenuU%Zp*dW0z3LR9&<VG42EU8421K011a$5H>CasJz|KoSK+<9B(Vch`0|zN{
z_D*l3GV!Kg+K1Du6O%BT3iP;#d;VYOmK+E5p-z`lZ}4k}ztNtGK`-IRF8;?A{#=6-
z+h{QAM~A><Vcs|%3xTMAF#qP#B?roh|DswvW8PB#qXgm~58uC>A1e8>c_i?)gTJ0z
z_Rf(j>!5b1MUG796*~8I@}d}4^y`1KB>I1P3;#;o@h?AF)yC$OmbOrn&+f-J!Otl@
LL*0CB+u;8I<hGLf
diff --git a/src/postgresql.md b/src/postgresql.md
index 4721891..f7ab1e6 100644
--- a/src/postgresql.md
+++ b/src/postgresql.md
@@ -1,5 +1,13 @@
# PostgreSQL SELinux Support
+- [**sepgsql Overview**](#sepgsql-overview)
+- [**Installing SE-PostgreSQL**](#installing-se-postgresql)
+- [***SECURITY LABEL* SQL Command**](#security-label-sql-command)
+- [**Additional SQL Functions**](#additional-sql-functions)
+- [***postgresql.conf* Entries**](#postgresql.conf-entries)
+- [**Logging Security Events**](#logging-security-events)
+- [**Internal Tables**](#internal-tables)
+
This section gives an overview of PostgreSQL version 11.x with the
*sepgsql* extension to support SELinux. It assumes some basic knowledge
of PostgreSQL that can be found at:
@@ -22,23 +30,29 @@ document:
<https://www.postgresql.org/docs/11/sepgsql.html>
-
## sepgsql Overview
The *sepgsql* extension adds SELinux mandatory access controls (MAC) to
database objects such as tables, columns, views, functions, schemas and
-sequences. **Figure 24: Database Security Context Information** shows a simple
-database with one table, two columns and three rows, each with their object
-class and associated security context (the [**Internal Tables**](#internal-tables)
+sequences. **Table 1: Database Security Context Information** shows a simple
+database with one table and two columns, each with their object class and
+associated security context (the [**Internal Tables**](#internal-tables)
section shows these entries from the *testdb* database in the
[**Notebook sepgsql Example**](notebook-examples/sepgsql/testdb-example.sql).
The database object classes and permissions are described in
[**Appendix A - Object Classes and Permissions**](object_classes_permissions.md#database-object-classes).
-
+| |
+| :---: |
+| **database** (*db_database*) - context = 'unconfined_u:object_r:postgresql_db_t:s0' This context is inherited from the database directory label - ls -Z /var/lib/pgsql/data |
+| **schema** (*db_schema*) - security_label = 'unconfined_u:object_r:sepgsql_schema_t:s0:c10' |
+| **table** (*db_table*) - security_label = 'unconfined_u:object_r:sepgsql_table_t:s0:c20' |
+
+| | |
+| :---: | :---: |
+| **column 1** (*db_column*) - security_label = 'unconfined_u:object_r:sepgsql_table_t:s0:c30' | **column 2** - (*db_column*) security_label = 'unconfined_u:object_r:sepgsql_table_t:s0:c40' |
-**Figure 24: Database Security Context Information** - *Showing the security
-contexts that can be associated to a schema, table and columns.*
+**Table 1: Database Security Context Information** - *Showing the security contexts that can be associated to a schema, table and columns.*
To use SE-PostgreSQL each Linux user must have a valid PostgreSQL
database role (not to be confused with an SELinux role). The default
@@ -68,9 +82,7 @@ with AVC audits being logged via the standard PostgreSQL logfile as
described in the [**Logging Security Events**](#logging-security-events)
section.
-<br>
-
-### Installing SE-PostgreSQL
+## Installing SE-PostgreSQL
The [**https://www.postgresql.org/docs/11/sepgsql.html**](https://www.postgresql.org/docs/11/sepgsql.html)
page contains all the information required to install the *sepgsql* extension.
@@ -79,7 +91,7 @@ There are also instructions in the
[**Notebook sepgsql Example - README**](notebook-examples/sepgsql/README.md)
that describes building the example database used in the sections below.
-### *SECURITY LABEL* SQL Command
+## *SECURITY LABEL* SQL Command
The '*SECURITY LABEL*' SQL command has been added to PostgreSQL to allow
security providers to label or change a label on database objects.
@@ -102,34 +114,32 @@ SECURITY LABEL ON COLUMN test_ns.info.email_addr IS
'unconfined_u:object_r:sepgsql_table_t:s0:c40';
```
-### Additional SQL Functions
+## Additional SQL Functions
The following functions have been added:
-<table>
-<tbody>
-<tr>
-<td><code>sepgsql_getcon()</code></td>
-<td>Returns the client security context.</td>
-</tr>
-<tr>
-<td><code>sepgsql_mcstrans_in(text con)</code></td>
-<td>Translates the readable <em>range</em> of the context into raw format provided the <em>mcstransd</em> daemon is running.</td>
-</tr>
-<tr>
-<td><code>sepgsql_mcstrans_out(text con)</code></td>
-<td>Translates the raw <em>range</em> of the context into readable format provided the <em>mcstransd</em> daemon is running.</td>
-</tr>
-<tr>
-<td><code>sepgsql_restorecon(text specfile)</code></td>
-<td>Sets security contexts on all database objects (must be superuser) according to the <em>specfile</em>. This is normally used for initialisation of the database by the <em>sepgsql.sql</em> script. If the parameter is NULL, then the default <em>sepgsql_contexts</em> file is used. See <em><strong>selabel_db</strong>(5)</em> details.</td>
-</tr>
-</tbody>
-</table>
-
-<br>
-
-### *postgresql.conf* Entries
+*sepgsql_getcon()*
+
+Returns the client security context.
+
+*sepgsql_mcstrans_in(text con)*
+
+Translates the readable *range* of the context into raw format provided the
+***mcstransd**(8)* daemon is running.
+
+*sepgsql_mcstrans_out(text con)*
+
+Translates the raw *range* of the context into readable format provided the
+***mcstransd**(8)* daemon is running.
+
+*sepgsql_restorecon(text specfile)*
+
+Sets security contexts on all database objects (must be superuser) according
+to the *specfile*. This is normally used for initialisation of the database
+by the *sepgsql.sql* script. If the parameter is NULL, then the default
+*sepgsql_contexts* file is used. See ***selabel_db**(5)* details.
+
+## *postgresql.conf* Entries
The *postgresql.conf* file supports the following additional entries to
enable and manage SE-PostgreSQL:
@@ -167,9 +177,7 @@ on
(1 row)
```
-<br>
-
-### Logging Security Events
+## Logging Security Events
SE-PostgreSQL manages its own AVC audit entries in the standard
PostgreSQL log normally located within the */var/lib/pgsql/data/pg_log*
@@ -177,9 +185,7 @@ directory and by default only errors are logged (Note that there are no
SE-PostgreSQL AVC entries added to the standard *audit.log*). The
'*sepgsql.debug_audit = on*' can be set to log all audit events.
-<br>
-
-### Internal Tables
+## Internal Tables
To support the overall database operation PostgreSQL has internal tables
in the system catalog that hold information relating to databases,
@@ -188,46 +194,15 @@ that holds the security label and other references. The *pg_seclabel*
is shown in the table below and has been taken from
<http://www.postgresql.org/docs/11/static/catalog-pg-seclabel.html>.
-<table>
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Name</strong></td>
-<td><strong>Type</strong></td>
-<td><strong>References</strong></td>
-<td><strong>Comments</strong></td>
-</tr>
-<tr>
-<td><code>objoid</code></td>
-<td><code>oid</code></td>
-<td>any OID column</td>
-<td>The OID of the object this security label pertains to.</td>
-</tr>
-<tr>
-<td><code>classoid</code></td>
-<td><code>oid</code></td>
-<td><a href="http://www.postgresql.org/docs/11/static/catalog-pg-class.html">pg_class</a>.oid</td>
-<td>The OID of the system catalog this object appears in.</td>
-</tr>
-<tr>
-<td><code>objsubid</code></td>
-<td>int4</td>
-<td></td>
-<td>For a security label on a table column, this is the column number (the <em>objoid</em> and <em>classoid</em> refer to the table itself). For all other objects this column is zero.</td>
-</tr>
-<tr>
-<td><code>provider</code></td>
-<td>text</td>
-<td></td>
-<td>The label provider associated with this label. Currently only SELinux is supported.</td>
-</tr>
-<tr>
-<td><code>label</code></td>
-<td>text</td>
-<td></td>
-<td>The security label applied to this object.</td>
-</tr>
-</tbody>
-</table>
+
+| **Name** | **Type** | **References** | **Comments** |
+| -------- | -------- | -------------- | ------------ |
+| objoid | oid | any OID column | The OID of the object this security label pertains to. |
+| classoid | oid | pg_class.oid | The OID of the system catalog this object appears in. |
+| objsubid | int4 | | For a security label on a table column, this is the column number (the *objoid* and *classoid* refer to the table itself). For all other objects this column is zero. |
+| provider | text | | The label provider associated with this label. Currently only SELinux is supported. |
+| label | text | | The security label applied to this object. |
+
These are entries taken from a '*SELECT * FROM pg_seclabel;*' command
that refers to the example *testdb* database built using the
@@ -260,8 +235,6 @@ objoid|classoid|objsubid|objtype|objnamespace| objname | provider| label
| | | | | email_addr | |
```
-<br>
-
<!-- %CUTHERE% -->
---
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [RFC,selinux-notebook PATCH 12/18] all: remove all the <br> tags we haven't gotten to yet
2020-08-04 1:33 [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Paul Moore
` (10 preceding siblings ...)
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 11/18] postgresql: update PostgreSQL SELinux Support section Paul Moore
@ 2020-08-04 1:34 ` Paul Moore
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 13/18] all: unify example formatting (scripts, code, policy, etc) in markdown Paul Moore
` (5 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Paul Moore @ 2020-08-04 1:34 UTC (permalink / raw)
To: selinux
This was done with the following script:
for i in *.md; do
sed '/^[ \t]*<br>[ \t]*$/d' -i $i
done
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
src/apache_support.md | 4 ---
src/auditing.md | 7 -----
src/avc_rules.md | 6 -----
src/bounds_rules.md | 2 --
src/cil_overview.md | 1 -
src/class_permission_statements.md | 5 ----
src/computing_access_decisions.md | 1 -
src/computing_security_contexts.md | 15 -----------
src/conditional_statements.md | 3 --
src/configuration_files.md | 3 --
src/constraint_statements.md | 4 ---
src/core_components.md | 5 ----
src/debug_policy_hints.md | 1 -
src/default_rules.md | 4 ---
src/domain_object_transitions.md | 4 ---
src/file_labeling_statements.md | 5 ----
src/global_config_files.md | 7 -----
src/implementing_seaware_apps.md | 6 -----
src/infiniband_statements.md | 3 --
src/kernel_policy_language.md | 7 -----
src/libselinux_functions.md | 1 -
src/lsm_selinux.md | 8 ------
src/mac.md | 2 --
src/mls_mcs.md | 6 -----
src/mls_statements.md | 10 --------
src/modes.md | 1 -
src/modular_policy_statements.md | 4 ---
src/network_statements.md | 4 ---
src/network_support.md | 7 -----
src/object_classes_permissions.md | 21 ----------------
src/objects.md | 3 --
src/pam_login.md | 1 -
src/policy_config_files.md | 35 ---------------------------
src/policy_config_statements.md | 1 -
src/policy_languages.md | 1 -
src/policy_store_config_files.md | 20 ---------------
src/policy_validation_example.md | 1 -
src/polyinstantiation.md | 7 -----
src/rbac.md | 1 -
src/reference_policy.md | 47 ------------------------------------
src/role_statements.md | 6 -----
src/seandroid.md | 15 -----------
src/security_context.md | 1 -
src/selinux_cmds.md | 1 -
src/selinux_overview.md | 2 --
src/sid_statement.md | 2 --
src/subjects.md | 2 --
src/terminology.md | 2 --
src/title.md | 1 -
src/toc.md | 1 -
src/type_enforcement.md | 3 --
src/types_of_policy.md | 10 --------
src/users.md | 1 -
53 files changed, 321 deletions(-)
diff --git a/src/apache_support.md b/src/apache_support.md
index 60f09d9..22ce966 100644
--- a/src/apache_support.md
+++ b/src/apache_support.md
@@ -50,7 +50,6 @@ the LAPP<a href="#fnap1" class="footnote-ref" id="fnaph1"><strong><sup>1</sup></
The [A secure web application platform powered by SELinux](http://sepgsql.googlecode.com/files/LCA20090120-lapp-selinux.pdf)
document gives a good overview of the LAPP architecture.
-<br>
## `mod_selinux` Overview
@@ -76,7 +75,6 @@ itself, for example:
3. The web application exits, handing control back to the web server
that replies with the HTTP response.
-<br>
## Bounds Overview
@@ -122,7 +120,6 @@ operation will be denied and an `SELINUX_ERR` entry will be added to
the audit log stating `op=security_compute_av reason=bounds` with
the context strings and the denied class and permissions.
-<br>
<section class="footnotes">
@@ -131,7 +128,6 @@ the context strings and the denied class and permissions.
</ol>
</section>
-<br>
<!-- %CUTHERE% -->
diff --git a/src/auditing.md b/src/auditing.md
index 295373a..17cc2e6 100644
--- a/src/auditing.md
+++ b/src/auditing.md
@@ -40,7 +40,6 @@ Notes:
***selinux_set_callback**(3)* and specifying an alternative log
handler.
-<br>
## AVC Audit Events
@@ -233,7 +232,6 @@ exe="/usr/move_file/move_file_c"
subj=unconfined_u:unconfined_r:move_file_t key=(null)
```
-<br>
## General SELinux Audit Events
@@ -271,7 +269,6 @@ policyload notice (seqno=2) : exe="/usr/bin/Xorg" sauid=0 hostname=?
addr=? terminal=?'
```
-<br>
Change enforcement mode - `MAC_STATUS` - This was generated when the
SELinux enforcement mode was changed:
@@ -287,7 +284,6 @@ tty=pts0 ses=2 comm="setenforce" exe="/usr/sbin/setenforce"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
```
-<br>
Change boolean value - `MAC_CONFIG_CHANGE` - This event was generated
when ***setsebool**(8)* was run to change a boolean. Note that the
@@ -323,7 +319,6 @@ exe="/sbin/netlabelctl"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
```
-<br>
Labeled IPSec - `MAC_IPSEC_EVENT` - Generated when running
***setkey**(8)* to load IPSec configuration:
@@ -376,7 +371,6 @@ exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0-s0:c0.c300
key=(null)
```
-<br>
Role changes - `USER_ROLE_CHANGE` - Used ***newrole**(1)* to set a new
role that was not valid.
@@ -391,7 +385,6 @@ new-context=?: exe="/usr/bin/newrole" hostname=? addr=?
terminal=/dev/pts/0 res=failed'
```
-<br>
<!-- %CUTHERE% -->
diff --git a/src/avc_rules.md b/src/avc_rules.md
index 5c2a491..de8e9c3 100644
--- a/src/avc_rules.md
+++ b/src/avc_rules.md
@@ -77,7 +77,6 @@ section.
</tbody>
</table>
-<br>
## `allow`
@@ -138,7 +137,6 @@ allow bootloader_t system_dbusd_t:dbus { acquire_svc send_msg };
allow files_unconfined_type file_type:{ file chr_file } ~execmod;
```
-<br>
## `dontaudit`
@@ -158,7 +156,6 @@ also helps to manage the audit log by excluding known events.
dontaudit traceroute_t { port_type -port_t }:tcp_socket name_bind;
```
-<br>
## `auditallow`
@@ -176,7 +173,6 @@ to grant permission.
auditallow ada_t self:process execstack;
```
-<br>
## `neverallow`
@@ -207,7 +203,6 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
```
-<br>
<section class="footnotes">
<ol>
@@ -216,7 +211,6 @@ neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
</ol>
</section>
-<br>
<!-- %CUTHERE% -->
diff --git a/src/bounds_rules.md b/src/bounds_rules.md
index 08393dd..e890955 100644
--- a/src/bounds_rules.md
+++ b/src/bounds_rules.md
@@ -12,7 +12,6 @@ NOT enforced by the SELinux kernel services). The
[**CIL Reference Guide**](notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf)
gives details.
-<br>
## `typebounds`
@@ -91,7 +90,6 @@ allow httpd_t etc_t : file { getattr read };
allow httpd_child_t etc_t : file { read write };
```
-<br>
<!-- %CUTHERE% -->
diff --git a/src/cil_overview.md b/src/cil_overview.md
index 1403666..e0364d7 100644
--- a/src/cil_overview.md
+++ b/src/cil_overview.md
@@ -147,7 +147,6 @@ declarations with the order in which they are declared in the kernel.
A module store is created by `semodule` to give easy access to the
source and that allows for full control over the policy.
-<br>
<!-- %CUTHERE% -->
diff --git a/src/class_permission_statements.md b/src/class_permission_statements.md
index 65f2bed..eb42b1f 100644
--- a/src/class_permission_statements.md
+++ b/src/class_permission_statements.md
@@ -16,7 +16,6 @@ There are two variants of the `class` statement for writing policy:
[**Associating Permissions to a Class**](#associating-permissions-to-a-class)
section.
-<br>
## `class`
@@ -75,7 +74,6 @@ definition:
class db_tuple
```
-<br>
### Associating Permissions to a Class
@@ -90,7 +88,6 @@ Permissions can be defined within policy in two ways:
A list of classes and their permissions used by the **Reference Policy**
can be found in the *./policy/flask/access_vectors* file.
-<br>
## `common`
@@ -154,7 +151,6 @@ The statement definition is:
common database { create drop getattr setattr relabelfrom relabelto }
```
-<br>
## `class`
@@ -246,7 +242,6 @@ class db_blob inherits database
class db_blob inherits database { read write import export }
```
-<br>
<!-- %CUTHERE% -->
diff --git a/src/computing_access_decisions.md b/src/computing_access_decisions.md
index 0670240..ce4cf11 100644
--- a/src/computing_access_decisions.md
+++ b/src/computing_access_decisions.md
@@ -57,7 +57,6 @@ require kernel system call over-heads once set up. Note that these
functions are only available from *libselinux* 2.0.99, with Linux kernel
2.6.37 and above.
-<br>
<!-- %CUTHERE% -->
diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md
index ca7ba5d..100a8cf 100644
--- a/src/computing_security_contexts.md
+++ b/src/computing_security_contexts.md
@@ -46,7 +46,6 @@ various kernel objects (also see the
[**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux)
section.
-<br>
### Process
@@ -74,7 +73,6 @@ Processes inherit their security context as follows:
practice is generally discouraged - exec-based transitions are
preferred.
-<br>
### Files
@@ -113,13 +111,11 @@ SID, which is mapped to a context by the policy. This default may be
overridden via the `defcontext=` mount option on a per-mount basis as
described in ***mount**(8)*.
-<br>
### File Descriptors
Inherits the label of its creator/parent.
-<br>
### Filesystems
@@ -166,7 +162,6 @@ Notes:
`context=`, `fscontext=`, `defcontext=` and `rootcontext=`. They are
fully described in the ***mount**(8)* man page.
-<br>
### Network File System (nfsv4.2)
@@ -174,7 +169,6 @@ If labeled NFS is implemented with `xattr` support, then the creation of
inodes are treated as described in the [Files](#files)
section.
-<br>
### INET Sockets
@@ -208,13 +202,11 @@ Some sockets may be labeled with the kernel SID to reflect the fact that
they are kernel-internal sockets that are not directly exposed to
applications.
-<br>
### IPC
Inherits the label of its creator/parent.
-<br>
### Message Queues
@@ -239,19 +231,16 @@ the message queue it will be stored in as follows:
with the selected range being low, high or low-high to be defined
for the message object class).
-<br>
### Semaphores
Inherits the label of its creator/parent.
-<br>
### Shared Memory
Inherits the label of its creator/parent.
-<br>
### Keys
@@ -260,7 +249,6 @@ Inherits the label of its creator/parent.
Security-aware applications may use ***setkeycreatecon**(3)* to
explicitly label keys they create if permitted by policy.
-<br>
## Using libselinux Functions
@@ -359,7 +347,6 @@ new context `newcon` (referenced by SIDs for
**Table 1**
-<br>
### *avc_compute_member* and *security_compute_member*
@@ -435,7 +422,6 @@ the new context `newcon` (referenced by SIDs for
**Table 2**
-<br>
### *security_compute_relabel*
@@ -514,7 +500,6 @@ following notes also apply:
**Table 3**
-<br>
<!-- %CUTHERE% -->
diff --git a/src/conditional_statements.md b/src/conditional_statements.md
index e7254cc..00159b6 100644
--- a/src/conditional_statements.md
+++ b/src/conditional_statements.md
@@ -56,7 +56,6 @@ getsebool -a
getsebool allow_daemons_use_tty
```
-<br>
## bool
@@ -133,7 +132,6 @@ bool allow_execheap false;
bool allow_execstack true;
```
-<br>
### if
@@ -258,7 +256,6 @@ if (read_untrusted_content) {
}
```
-<br>
<!-- %CUTHERE% -->
diff --git a/src/configuration_files.md b/src/configuration_files.md
index 6738ec4..10092c6 100644
--- a/src/configuration_files.md
+++ b/src/configuration_files.md
@@ -33,7 +33,6 @@ as follows:
viewing the currently loaded policy using tools such as
***apol**(1)* (e.g. *apol /sys/fs/selinux/policy*).
-<br>
## The Policy Store
@@ -149,7 +148,6 @@ already available, the following message will be given: "*A higher
priority <name> module exists at priority <999> and will
override the module currently being installed at priority <111>*".
-<br>
## Converting policy packages to CIL
@@ -175,7 +173,6 @@ Options:
-h, --help print this message and exit
```
-<br>
<!-- %CUTHERE% -->
diff --git a/src/constraint_statements.md b/src/constraint_statements.md
index 50733b1..9708306 100644
--- a/src/constraint_statements.md
+++ b/src/constraint_statements.md
@@ -170,7 +170,6 @@ constrain { dir file lnk_file sock_file fifo_file chr_file blk_file } { create r
(u1 == u2 or t1 == can_change_object_identity);
```
-<br>
## `validatetrans`
@@ -269,7 +268,6 @@ Note there are no `validatetrans` statements specified within the
`validatetrans { file } { t1 == unconfined_t );`
-<br>
## `mlsconstrain`
@@ -394,7 +392,6 @@ mlsconstrain dir search
( t2 == mlstrustedobject ));
```
-<br>
## `mlsvalidatetrans`
@@ -524,7 +521,6 @@ mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
(( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
```
-<br>
<!-- %CUTHERE% -->
diff --git a/src/core_components.md b/src/core_components.md
index dde17a1..0cc9e65 100644
--- a/src/core_components.md
+++ b/src/core_components.md
@@ -17,7 +17,6 @@ manage enforcement of the policy and comprise of the following:
5. An Access Vector Cache (AVC) that improves system performance by
caching security server decisions.
-<br>
@@ -26,13 +25,11 @@ Security Server are cached in the AVC to enhance performance of future
requests. Note that it is the kernel and userspace Object Managers that
enforce the policy.*
-<br>
**Figure 2: High Level SELinux Architecture** - *Showing the major supporting services*
-<br>
**Figure 2** shows a more complex diagram of kernel and userspace with a number of
supporting services that are used to manage the SELinux environment.
@@ -134,7 +131,6 @@ The [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module
section goes into greater detail of the LSM / SELinux modules with a walk
through of a ***fork**(2)* and ***exec**(2)* process.
-<br>
<section class="footnotes">
<ol>
@@ -149,7 +145,6 @@ statement that allows a domain to run in permissive mode while the others are st
</ol>
</section>
-<br>
<!-- %CUTHERE% -->
diff --git a/src/debug_policy_hints.md b/src/debug_policy_hints.md
index edccce9..913a82a 100644
--- a/src/debug_policy_hints.md
+++ b/src/debug_policy_hints.md
@@ -5,7 +5,6 @@ I'm sure there is more to add here !!!
-<br>
<!-- %CUTHERE% -->
diff --git a/src/default_rules.md b/src/default_rules.md
index a5ea085..e759a84 100644
--- a/src/default_rules.md
+++ b/src/default_rules.md
@@ -77,7 +77,6 @@ default_user file target;
default_user { x_selection x_property } source;
```
-<br>
## `default_role`
@@ -152,7 +151,6 @@ default_role file target;
default_role { x_selection x_property } source;
```
-<br>
## `default_type`
@@ -227,7 +225,6 @@ default_type file target;
default_type { x_selection x_property } source;
```
-<br>
## `default_range`
@@ -327,7 +324,6 @@ default_type { x_selection x_property } source low_high;
default_range db_table glblub;
```
-<br>
<!-- %CUTHERE% -->
diff --git a/src/domain_object_transitions.md b/src/domain_object_transitions.md
index c4cf83b..2c5e45a 100644
--- a/src/domain_object_transitions.md
+++ b/src/domain_object_transitions.md
@@ -8,7 +8,6 @@ This section discusses the `type_transition` statement that is used to:
These transitions can also be achieved using the **libselinux** API
functions for SELinux-aware applications.
-<br>
## Domain Transition
@@ -89,7 +88,6 @@ SELinux enabled kernel.
within the `unconfined_t` domain and then transitioned to the `ext_gateway_t`
domain.*
-<br>
### Type Enforcement Rules
@@ -209,7 +207,6 @@ Other ways to resolve this issue are:
It was decided to use runcon as it demonstrates the command usage better
than reading the man pages.
-<br>
## Object Transition
@@ -276,7 +273,6 @@ drwxr-xr-x root root system_u:object_r:unconfined_t ..
-rw-r--r-- root root unconfined_u:object_r:in_file_t Message-2
```
-<br>
<!-- %CUTHERE% -->
diff --git a/src/file_labeling_statements.md b/src/file_labeling_statements.md
index ad0036b..dad3361 100644
--- a/src/file_labeling_statements.md
+++ b/src/file_labeling_statements.md
@@ -12,7 +12,6 @@ therefore if the policy supports MCS / MLS, then an `mls_range` is
required as described in the
[**MLS range Definition**](mls_statements.md#mls-range-definition) section.
-<br>
## `fs_use_xattr`
@@ -85,7 +84,6 @@ fs_use_xattr ext2 system_u:object_r:fs_t:s0;
fs_use_xattr ext3 system_u:object_r:fs_t:s0;
```
-<br>
## `fs_use_task`
@@ -156,7 +154,6 @@ fs_use_task pipefs system_u:object_r:fs_t:s0;
fs_use_task sockfs system_u:object_r:fs_t:s0;
```
-<br>
## `fs_use_trans`
@@ -227,7 +224,6 @@ fs_use_trans tmpfs system_u:object_r:tmpfs_t:s0;
fs_use_trans devpts system_u:object_r:devpts_t:s0;
```
-<br>
## `genfscon`
@@ -319,7 +315,6 @@ genfscon proc /fs/openafs system_u:object_r:proc_afs_t:s0
genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s15:c0.c255
```
-<br>
<!-- %CUTHERE% -->
diff --git a/src/global_config_files.md b/src/global_config_files.md
index 2897e1b..3cc3bbd 100644
--- a/src/global_config_files.md
+++ b/src/global_config_files.md
@@ -9,7 +9,6 @@ important files are:
- */etc/selinux/semanage.conf* - This is used by the SELinux policy
configuration subsystem for modular or CIL policies.
-<br>
## */etc/selinux/config*
@@ -83,7 +82,6 @@ SELINUX=permissive
SELINUXTYPE=targeted
```
-<br>
## */etc/selinux/semanage.conf*
@@ -275,7 +273,6 @@ args = $@
[end]
```
-<br>
## */etc/selinux/restorecond.conf*
## *restorecond-user.conf*
@@ -319,14 +316,12 @@ directories).
~/public_html/*
```
-<br>
## */etc/selinux/newrole_pam.conf*
The optional *newrole\_pam.conf* file is used by ***newrole**(1)* and
maps commands to ***PAM**(8)* service names.
-<br>
## */etc/sestatus.conf*
@@ -367,7 +362,6 @@ List of processes to display context
/usr/sbin/sshd
```
-<br>
## */etc/security/sepermit.conf*
@@ -413,7 +407,6 @@ example that describes the configuration:
xguest:exclusive
```
-<br>
<!-- %CUTHERE% -->
diff --git a/src/implementing_seaware_apps.md b/src/implementing_seaware_apps.md
index dbdbae4..244d3ac 100644
--- a/src/implementing_seaware_apps.md
+++ b/src/implementing_seaware_apps.md
@@ -36,7 +36,6 @@ SELinux-aware applications do not (they rely on 'Object Managers' to do
this e.g. the kernel based Object Managers such as those that manage
filesystem, IPC and network labeling).
-<br>
## Implementing SELinux-aware Applications
@@ -96,7 +95,6 @@ developing SELinux-aware applications and object managers using
explained at:
<http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=12b29f34558b9b45a2c6eabd4f3c6be939a3980f>
-<br>
## Implementing Object Managers
@@ -157,7 +155,6 @@ classes/permissions.
the [**X Access Control Extension Specification**](http://www.x.org/releases/X11R7.5/doc/security/XACE-Spec.pdf), and for reference, the SE-PostgreSQL service also implements a similar
interface.
-<br>
## Reference Policy Changes
@@ -211,7 +208,6 @@ not require modification, and supplying the module files (*\*.te*,
## </required>
```
-<br>
## Adding New Object Classes and Permissions
@@ -288,7 +284,6 @@ dynamic class/perm discovery:
by the kernel. Then add allow rules as appropriate to the policy for
the new permissions.
-<br>
<section class="footnotes">
<ol>
@@ -301,7 +296,6 @@ applied to their objects as defined by policy.<a href="#fnisa1" class="footnote-
</ol>
</section>
-<br>
<!-- %CUTHERE% -->
diff --git a/src/infiniband_statements.md b/src/infiniband_statements.md
index 9b13206..79c29da 100644
--- a/src/infiniband_statements.md
+++ b/src/infiniband_statements.md
@@ -8,7 +8,6 @@ overview of the SELinux IB implementation can be found at:
Note that there are no terminating semi-colons ';' on these statements.
-<br>
## `ibpkeycon`
@@ -94,7 +93,6 @@ in the default `<SELINUXTYPE>` policy store and then activate the policy:
ibpkeycon fe80:: 0xFFFF system_u:object_r:default_ibpkey_t:s0
```
-<br>
## `ibendportcon`
@@ -180,7 +178,6 @@ This command will produce the following file
ibendportcon mlx4_0 2 system_u:object_r:opensm_ibendport_t:s0
```
-<br>
<!-- %CUTHERE% -->
diff --git a/src/kernel_policy_language.md b/src/kernel_policy_language.md
index 96214a7..7a74255 100644
--- a/src/kernel_policy_language.md
+++ b/src/kernel_policy_language.md
@@ -205,7 +205,6 @@ Where:
**Table 3** shows a cross reference matrix of statements
and rules allowed in each type of policy source file.
-<br>
## Conditional, Optional and Require Statement Rules
@@ -261,7 +260,6 @@ Where:
**Table 3** shows a cross reference matrix of statements
and rules allowed in each of the above policy statements.
-<br>
## MLS Statements and Optional MLS Components
@@ -272,7 +270,6 @@ context as an argument, (for example the
[**Network Labeling Statements**](network_statements.md#network-labeling-statements)),
therefore these statements show an example taken from the MLS **Reference Policy** build.
-<br>
## General Statement Information
@@ -483,7 +480,6 @@ same).
**Table 2: Policy language reserved words**
-<br>
**Table 3** shows what policy language statements and rules are allowed
within each type of policy source file, and whether the statement is valid
@@ -952,7 +948,6 @@ policy source file. The right hand side of the table shows whether the
statement is valid within the `if/else` construct, `optional {rule_list}`,
or `require {rule_list}` statement.*
-<br>
## Section Contents
@@ -980,7 +975,6 @@ Note these are not kernel policy statements, but used by the Reference Policy
to assist policy build:
- [Modular Policy Support Statements](modular_policy_statements.md#modular-policy-support-statements)
-<br>
<section class="footnotes">
<ol>
@@ -992,7 +986,6 @@ to assist policy build:
</ol>
</section>
-<br>
<!-- %CUTHERE% -->
diff --git a/src/libselinux_functions.md b/src/libselinux_functions.md
index 52232aa..d3dd2f1 100644
--- a/src/libselinux_functions.md
+++ b/src/libselinux_functions.md
@@ -1093,7 +1093,6 @@ The appropriate ***man**(3)* pages should consulted for detailed usage.
</tbody>
</table>
-<br>
<!-- %CUTHERE% -->
diff --git a/src/lsm_selinux.md b/src/lsm_selinux.md
index f762614..d4be834 100644
--- a/src/lsm_selinux.md
+++ b/src/lsm_selinux.md
@@ -15,7 +15,6 @@ the SELinux kernel source code). The major areas covered are:
4. The SELinux filesystem */sys/fs/selinux*.
5. The */proc* filesystem area most applicable to SELinux.
-<br>
## The LSM Module
@@ -90,7 +89,6 @@ inserted security hooks and structures to allow access control to be
managed by 3<sup>rd</sup> party modules (see
./linux-3.14/include/linux/security.h).*
-<br>
| ***/proc/self/attr/*** **Permissions** | **File Name**| **Function** |
| ------------ | ------------ | ------------------------------------------------------------------------ |
@@ -145,7 +143,6 @@ hooks and structures.
**Table 3:** *The core LSM source modules.*
-<br>
## The SELinux Module
@@ -271,7 +268,6 @@ to see how some of these kernel source modules fit together.
**Table 4: The core SELinux source modules** - *The .h files and those in
the include directory have a number of useful comments.*
-<br>
### Fork System Call Walk-thorough
@@ -337,7 +333,6 @@ is valid):
required to check access permissions for Object Class `process` and
permission `fork`.*
-<br>
### Process Transition Walk-thorough
@@ -458,7 +453,6 @@ computed. This function will (assuming there are no errors):
check if a transition is allowed from the `unconfined_t` domain to the
`ext_gateway_t` domain.*
-<br>
@@ -466,7 +460,6 @@ check if a transition is allowed from the `unconfined_t` domain to the
link to [**Figure 7**](domain_object_transitions.md#domain-transition)
where the transition process is described.*
-<br>
#### SELinux Filesystem
@@ -740,7 +733,6 @@ Notes:
interfaces.
-<br>
<!-- %CUTHERE% -->
diff --git a/src/mac.md b/src/mac.md
index cfdc0e0..5c746f2 100644
--- a/src/mac.md
+++ b/src/mac.md
@@ -29,7 +29,6 @@ chain for DAC and MAC are shown in **Figure 3**.
**Figure 3: Processing a System Call** - *The DAC checks are carried out
first, if they pass then the Security Server is consulted for a decision.*
-<br>
SELinux supports two forms of MAC:
@@ -63,7 +62,6 @@ application separation, for example SELinux enabled:
[**Security Enhancements for Android - Computing a Context**](seandroid.md#computing-process-context-examples) section).
-<br>
<!-- %CUTHERE% -->
diff --git a/src/mls_mcs.md b/src/mls_mcs.md
index 2f80ac6..59ff4a0 100644
--- a/src/mls_mcs.md
+++ b/src/mls_mcs.md
@@ -111,7 +111,6 @@ The format used in the policy language statements is fully described in
the [MLS Statements](mls_statements.md#mls-statements) section, however
a brief overview follows.
-<br>
#### MLS / MCS Range Format
@@ -146,7 +145,6 @@ user:role:type:sensitivity[:category,...] - sensitivity [:category,...]
</tbody>
</table>
-<br>
#### Translating Levels
@@ -163,7 +161,6 @@ command can be used to set up this translation and is shown in the
[**setrans.conf**](policy_config_files.md#setrans.conf) configuration file
section.
-<br>
### Managing Security Levels via Dominance Rules
@@ -282,13 +279,11 @@ the `mlsconstrain` statement as illustrated in
**Table 2: MLS Security Levels** - *Showing the scope of a process running
at a security range of `s0 - s3:c1.c5`.*
-<br>
**Figure 9: Showing the mlsconstrain Statements controlling Read Down & Write Up** - *This ties in with* **Table 2: MLS Security Levels** *that shows a process running with a security range of s0 - s3:c1.c5.*
-<br>
Using **Figure 9: `mlsconstrain` Statements controlling Read Down & Write Up**:
@@ -359,7 +354,6 @@ An interesting point:
evaluated.
-<br>
<!-- %CUTHERE% -->
diff --git a/src/mls_statements.md b/src/mls_statements.md
index 5731df8..d4a0c7f 100644
--- a/src/mls_statements.md
+++ b/src/mls_statements.md
@@ -61,14 +61,12 @@ the circumstances, there can be one level defined or a
**Table 1: Sensitivity and Category = Security Level** - *this table shows
the meanings depending on the context being discussed.*
-<br>
To make the security levels more meaningful, it is possible to use the
setransd daemon to translate these to human readable formats. The
**semanage**(8) command will allow this mapping to be defined as discussed
in the [**setrans.conf**](policy_config_files.md#setrans.conf) section.
-<br>
#### MLS range Definition
@@ -100,7 +98,6 @@ discussed at the start of the [**MLS section**](#mls-statements).
</tbody>
</table>
-<br>
## `sensitivity`
@@ -179,7 +176,6 @@ sensitivity s15;
sensitivity s0 alias secret wellmaybe ornot;
```
-<br>
## `dominance`
@@ -242,7 +238,6 @@ The statement is valid in:
dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
```
-<br>
## `category`
@@ -321,7 +316,6 @@ category c255;
category c0 alias planning development benefits;
```
-<br>
## `level`
@@ -395,7 +389,6 @@ level s0:c0.c255;
level s15:c0.c255;
```
-<br>
## `range_transition`
@@ -484,7 +477,6 @@ range_transition initrc_t auditd_exec_t:process s15:c0.c255;
range_transition initrc_t cupsd_exec_t:process s15:c0.c255;
```
-<br>
## `mlsconstrain`
@@ -492,7 +484,6 @@ This is decribed in the
[**Constraint Statements - `mlsconstrain`**](constraint_statements.md#mlsconstrain)
section.
-<br>
## `mlsvalidatetrans`
@@ -500,7 +491,6 @@ This is decribed in the
[**Constraint Statements - `mlsvalidatetrans`**](constraint_statements.md#mlsvalidatetrans)
section.
-<br>
<!-- %CUTHERE% -->
diff --git a/src/modes.md b/src/modes.md
index 0f714e4..f5ceaef 100644
--- a/src/modes.md
+++ b/src/modes.md
@@ -43,7 +43,6 @@ enforcement mode in its output, however it does not display individual
domain or object manager enforcement modes.
-<br>
<!-- %CUTHERE% -->
diff --git a/src/modular_policy_statements.md b/src/modular_policy_statements.md
index 30ac4e0..2918010 100644
--- a/src/modular_policy_statements.md
+++ b/src/modular_policy_statements.md
@@ -3,7 +3,6 @@
This section contains statements used to support policy modules. They are
not part of the kernel policy language.
-<br>
## `module`
@@ -72,7 +71,6 @@ modules within the policy.
module bind 1.0.0;
```
-<br>
## `require`
@@ -165,7 +163,6 @@ require {
shmemhost shmemserv };
}
```
-<br>
## `optional`
@@ -266,7 +263,6 @@ optional {
} # end optional
```
-<br>
<!-- %CUTHERE% -->
diff --git a/src/network_statements.md b/src/network_statements.md
index ef1c873..da66612 100644
--- a/src/network_statements.md
+++ b/src/network_statements.md
@@ -68,7 +68,6 @@ Or
`::`
-<br>
## `netifcon`
@@ -161,7 +160,6 @@ netifcon eth2 system_u:object_r:netif_t:s0
system_u:object_r:netif_t:s0
```
-<br>
## `nodecon`
@@ -260,7 +258,6 @@ This command will produce the following file in the default
nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0
```
-<br>
## `portcon`
@@ -352,7 +349,6 @@ This command will produce the following file in the default
portcon udp 1234 system_u:object_r:reserved_port_t:s0
```
-<br>
<!-- %CUTHERE% -->
diff --git a/src/network_support.md b/src/network_support.md
index 309e863..b207247 100644
--- a/src/network_support.md
+++ b/src/network_support.md
@@ -63,7 +63,6 @@ the inode associated to the socket and not from the actual kernel socket
structure (as currently there is no standard kernel/userspace interface
to achieve this).
-<br>
## SECMARK
@@ -177,7 +176,6 @@ The following articles explain the SECMARK service:
- [New secmark-based network controls for SELinux](http://james-morris.livejournal.com/11010.html)
-<br>
## NetLabel - Fallback Peer Labeling
@@ -217,7 +215,6 @@ netlabelctl -p map list
Note that the security contexts must be valid in the policy otherwise the
commands will fail.
-<br>
## NetLabel – CIPSO/CALIPSO
@@ -286,7 +283,6 @@ netlabelctl -p map list
The examples use the *nb_client*/*nb_server* from the Notebook examples
section, plus the standard Fedora 'targeted' policy for the tests.
-<br>
## Labeled IPSec
@@ -431,7 +427,6 @@ article and a good reference covering **Basic Labeled IPsec Configuration**
available at:
<http://www.redhat.com/archives/redhat-lspp/2006-November/msg00051.html>
-<br>
## Labeled Network FileSystem (NFS)
@@ -449,7 +444,6 @@ Labeled NFS clients must use a consistent security policy.
The *selinux-testsuite tools/nfs.sh* tests labeled NFS using various labels.
-<br>
<section class="footnotes">
<ol>
@@ -459,7 +453,6 @@ The *selinux-testsuite tools/nfs.sh* tests labeled NFS using various labels.
</ol>
</section>
-<br>
<!-- %CUTHERE% -->
diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md
index 498d872..833d4d6 100644
--- a/src/object_classes_permissions.md
+++ b/src/object_classes_permissions.md
@@ -69,7 +69,6 @@ Language, and the
[**CIL Reference Guide**](./notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf)
specifies the CIL Policy Language.
-<br>
# Kernel Object Classes and Permissions
@@ -667,7 +666,6 @@ inherited by the X-Windows *x_keyboard* and *x_pointer* object classes.
</tbody>
</table>
-<br>
## File Object Classes
@@ -908,7 +906,6 @@ inherited by the X-Windows *x_keyboard* and *x_pointer* object classes.
</tbody>
</table>
-<br>
## Network Object Classes
@@ -1134,7 +1131,6 @@ inherited by the X-Windows *x_keyboard* and *x_pointer* object classes.
</tbody>
</table>
-<br>
## IPSec Network Object Classes
@@ -1215,7 +1211,6 @@ inherited by the X-Windows *x_keyboard* and *x_pointer* object classes.
</tbody>
</table>
-<br>
## Netlink Object Classes
@@ -1616,7 +1611,6 @@ Netlink sockets communicate between userspace and the kernel – also see
</tbody>
</table>
-<br>
## Miscellaneous Network Object Classes
@@ -1720,7 +1714,6 @@ Netlink sockets communicate between userspace and the kernel – also see
</tbody>
</table>
-<br>
## Sockets via *extended_socket_class*
@@ -1908,7 +1901,6 @@ These socket classes that were introduced by the
</tbody>
</table>
-<br>
## BPF Object Class
@@ -1947,7 +1939,6 @@ These socket classes that were introduced by the
</tbody>
</table>
-<br>
## Performance Event Object Class
@@ -1990,7 +1981,6 @@ These socket classes that were introduced by the
</tbody>
</table>
-<br>
## Lockdown Object Class
@@ -2021,7 +2011,6 @@ implementation.
</tbody>
</table>
-<br>
## IPC Object Classes
@@ -2132,7 +2121,6 @@ implementation.
</tbody>
</table>
-<br>
## Process Object Class
@@ -2298,7 +2286,6 @@ implementation.
</tbody>
</table>
-<br>
## Security Object Class
@@ -2369,7 +2356,6 @@ implementation.
</tbody>
</table>
-<br>
## System Operation Object Class
@@ -2456,7 +2442,6 @@ Note that while this is defined as a kernel object class, the userspace
</tbody>
</table>
-<br>
## Miscellaneous Kernel Object Classes
@@ -2577,7 +2562,6 @@ Note that while this is defined as a kernel object class, the userspace
</tbody>
</table>
-<br>
## Capability Object Classes
@@ -2657,7 +2641,6 @@ Note that while this is defined as a kernel object class, the userspace
</tbody>
</table>
-<br>
## InfiniBand Object Classes
@@ -2699,7 +2682,6 @@ Note that while this is defined as a kernel object class, the userspace
</tbody>
</table>
-<br>
**Userspace** Object Classes
=============================
@@ -3339,7 +3321,6 @@ These are userspace objects managed by XSELinux.
</tbody>
</table>
-<br>
## Database Object Classes
@@ -3671,7 +3652,6 @@ explains the objects, their permissions and how they should be used in detail.
</tbody>
</table>
-<br>
## Miscellaneous Userspace Object Classes
@@ -3886,7 +3866,6 @@ explains the objects, their permissions and how they should be used in detail.
</table>
-<br>
<!-- %CUTHERE% -->
diff --git a/src/objects.md b/src/objects.md
index 4ddac6e..e39e1b3 100644
--- a/src/objects.md
+++ b/src/objects.md
@@ -91,7 +91,6 @@ Where:
</tbody>
</table>
-<br>
@@ -322,7 +321,6 @@ process itself should clear or shred the information before releasing
the object (which can be difficult in some cases unless the source code
is available).
-<br>
<section class="footnotes">
<ol>
@@ -333,7 +331,6 @@ associated with the file.<a href="#fnobj1" class="footnote-back">↩</a></p></li
</section>
-<br>
<!-- %CUTHERE% -->
diff --git a/src/pam_login.md b/src/pam_login.md
index 213a9f3..8d3a831 100644
--- a/src/pam_login.md
+++ b/src/pam_login.md
@@ -110,7 +110,6 @@ perform the following functions:
to the context defined in the policy.
-<br>
<!-- %CUTHERE% -->
diff --git a/src/policy_config_files.md b/src/policy_config_files.md
index 3178b08..6ce2020 100644
--- a/src/policy_config_files.md
+++ b/src/policy_config_files.md
@@ -29,7 +29,6 @@ additional two files are required:
SELinux.
- *./context/x_contexts* - To allow the X-Windows service to run under SELinux.
-<br>
## *seusers*
@@ -75,7 +74,6 @@ __default__:user_u:s0-s0
- ***getseuser**(3)*
- ***getseuserbyname**(3)*
-<br>
## *booleans*
## *booleans.local*
@@ -123,7 +121,6 @@ Note that if *SETLOCALDEFS* is set in the SELinux
in the ***selinux_booleans_path**(3)*, and also a *local.users* file
in the ***selinux_users_path**(3)*.
-<br>
## *booleans.subs_dist*
@@ -168,7 +165,6 @@ Supporting libselinux API functions are:
- ***security_get_boolean_names**(3)*
- ***security_set_boolean**(3)*
-<br>
## setrans.conf
@@ -226,7 +222,6 @@ Supporting libselinux API functions are:
- ***selinux_raw_to_trans_context**(3)*
- ***selinux_trans_to_raw_context**(3)*
-<br>
## *secolor.conf*
@@ -319,7 +314,6 @@ user : role : type : range
black white white black tan orange black green
```
-<br>
## *policy/policy.<ver>*
@@ -336,7 +330,6 @@ discussed in the
[**Types of SELinux Policy - Policy Versions**](types_of_policy.md#policy-versions)
section.
-<br>
## *contexts/customizable_types*
@@ -377,7 +370,6 @@ sysadm_untrusted_content_tmp_t
- ***selinux_customizable_types_path**(3)*
- ***selinux_context_path**(3)*
-<br>
## *contexts/default_contexts*
@@ -464,7 +456,6 @@ The login process could now set the context correctly to
*contexts/users/unconfined_u* configuration file instead could also have
achieved this.
-<br>
## *contexts/dbus_contexts*
@@ -492,7 +483,6 @@ information at:
- ***selinux_context_path**(3)*
-<br>
## *contexts/default_type*
@@ -530,7 +520,6 @@ user_r:user_t
- ***selinux_default_type_path**(3)*
- ***get_default_type**(3)*
-<br>
## *contexts/failsafe_context*
@@ -572,7 +561,6 @@ sysadm_r:sysadm_t:s0
- ***get_ordered_context_list**(3)*
- ***get_ordered_context_list_with_level**(3)*
-<br>
## *contexts/initrc_context*
@@ -609,7 +597,6 @@ system_u:system_r:initrc_t:s0-s15:c0.c255
- ***selinux_context_path**(3)*
-<br>
## *contexts/lxc_contexts*
@@ -665,7 +652,6 @@ sandbox_lxc_process = "system_u:system_r:container_t:s0"
- ***selinux_context_path**(3)*
- ***selinux_lxc_context_path**(3)*
-<br>
## *contexts/netfilter_contexts* - Obsolete
@@ -677,7 +663,6 @@ matching of network packets - Never been used.
- ***selinux_context_path**(3)*
- ***selinux_netfilter_context_path**(3)*
-<br>
## *contexts/openrc_contexts*
@@ -694,7 +679,6 @@ matching of network packets - Never been used.
- ***selinux_context_path**(3)*
- ***selinux_openrc_contexts_path**(3)*
-<br>
## *contexts/openssh_contexts*
@@ -712,7 +696,6 @@ matching of network packets - Never been used.
- ***selinux_context_path**(3)*
- ***selinux_openssh_contexts_path**(3)*
-<br>
## *contexts/removable_context*
@@ -745,7 +728,6 @@ system_u:object_r:removable_t:s0
- ***selinux_removable_context_path**(3)*
-<br>
## *contexts/sepgsql_contexts*
@@ -786,7 +768,6 @@ db_database * system_u:object_r:sepgsql_db_t:s0
db_schema *.* system_u:object_r:sepgsql_schema_t:s0
```
-<br>
## *contexts/snapperd_contexts*
@@ -804,7 +785,6 @@ db_schema *.* system_u:object_r:sepgsql_schema_t:s0
- ***selinux_context_path**(3)*
- ***selinux_snapperd_contexts_path**(3)*
-<br>
## *contexts/securetty_types*
@@ -838,7 +818,6 @@ staff_tty_device_t
- ***selinux_securetty_types_path**(3)*
-<br>
## *contexts/systemd_contexts*
@@ -874,7 +853,6 @@ runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
- ***selinux_context_path**(3)*
- ***selinux_systemd_contexts_path**(3)*
-<br>
## *contexts/userhelper_context*
@@ -906,7 +884,6 @@ system_u:sysadm_r:sysadm_t:s0
- ***selinux_context_path**(3)*
-<br>
## *contexts/virtual_domain_context*
@@ -927,7 +904,6 @@ system_u:system_r:svirt_tcg_t:s0
- ***selinux_virtual_domain_context_path**(3)*
-<br>
## *contexts/virtual_image_context*
@@ -948,7 +924,6 @@ system_u:object_r:virt_content_t:s0
- ***selinux_virtual_image_context_path**(3)*
-<br>
## *contexts/x_contexts*
@@ -993,7 +968,6 @@ selection PRIMARY system_u:object_r:clipboard_xselection_t:s0
- ***selabel_lookup**(3)*
- ***selabel_stats**(3)*
-<br>
## *contexts/files/file_contexts*
@@ -1027,7 +1001,6 @@ compatible regular expression (PCRE) internal format.
- ***selabel_lookup**(3)*
- ***selabel_stats**(3)*
-<br>
## *contexts/files/file_contexts.local*
@@ -1040,7 +1013,6 @@ file section to allow locally defined files to be labeled correctly. The
- ***selinux_file_context_local_path**(3)*
-<br>
## *contexts/files/file_contexts.homedirs*
@@ -1066,7 +1038,6 @@ Perl compatible regular expression (PCRE) internal format.
- ***selinux_file_context_homedir_path**(3)*
- ***selinux_homedir_context_path**(3)*
-<br>
## contexts/files/file_contexts.subs
## contexts/files/file_contexts.subs_dist
@@ -1097,7 +1068,6 @@ with */var/www*, with the final result being:
- ***matchpathcon**(3)* (deprecated)
- ***matchpathcon_index**(3)* (deprecated)
-<br>
## *contexts/files/media*
@@ -1137,7 +1107,6 @@ disk system_u:object_r:fixed_disk_device_t:s0
- ***selinux_media_context_path**(3)*
-<br>
## *contexts/users/[seuser_id]*
@@ -1176,7 +1145,6 @@ system_r:init_t:s0 unconfined_r:unconfined_t:s0
- ***get_ordered_context_list**(3)*
- ***get_ordered_context_list_with_level**(3)*
-<br>
## *logins/<linuxuser_id>*
@@ -1230,7 +1198,6 @@ another_service:unconfined_u:s0
- ***getseuser**(3)*
-<br>
## users/local.users
@@ -1251,7 +1218,6 @@ Note that if *SETLOCALDEFS* is set in the SELinux
in the ***selinux_booleans_path**(3)*, and also a *local.users* file
in the ***selinux_users_path**(3)*.
-<br>
<section class="footnotes">
<ol>
@@ -1260,7 +1226,6 @@ in the ***selinux_users_path**(3)*.
</section>
-<br>
<!-- %CUTHERE% -->
diff --git a/src/policy_config_statements.md b/src/policy_config_statements.md
index a69fbc0..4289136 100644
--- a/src/policy_config_statements.md
+++ b/src/policy_config_statements.md
@@ -63,7 +63,6 @@ continue to use the original functionality.
policycap network_peer_controls;
```
-<br>
<!-- %CUTHERE% -->
diff --git a/src/policy_languages.md b/src/policy_languages.md
index 9bd4247..fe579fe 100644
--- a/src/policy_languages.md
+++ b/src/policy_languages.md
@@ -55,7 +55,6 @@ domain_transition_pattern(sysadm_t, ls_exec_t, test_stat_domain)
domain_entry_file(test_stat_domain, ls_exec_t)
```
-<br>
<!-- %CUTHERE% -->
diff --git a/src/policy_store_config_files.md b/src/policy_store_config_files.md
index fe857d1..45ff3fa 100644
--- a/src/policy_store_config_files.md
+++ b/src/policy_store_config_files.md
@@ -54,7 +54,6 @@ The command types are:
- [***semanage user***](#activeusers.local) Manage SELinux confined users
(Roles and levels for an SELinux user)
-<br>
## active/modules Directory Contents
@@ -84,7 +83,6 @@ test_policy 400 pp
...
```
-<br>
### *tmp* Policy Store (build failure)
@@ -95,14 +93,12 @@ message indicating the failing line number is:
`Failed to resolve mlsconstrain statement at /var/lib/selinux/targeted/tmp/modules/400/test_mlsconstrain/cil:1`
-<br>
## *active/commit_num*
This is a binary file used by ***semanage*** for managing updates to the
store. The format is not relevant to policy construction.
-<br>
### *active/policy.kern*
@@ -112,7 +108,6 @@ is then becomes the
*/etc/selinux/<SELINUXTYPE>/policy/policy.<ver>* binary policy
that will be loaded into the kernel.
-<br>
## *active/policy.linked*
## *active/seusers.linked*
@@ -121,7 +116,6 @@ that will be loaded into the kernel.
These are saved policy files prior to merging local changes to improve
performance.
-<br>
## *active/booleans.local*
@@ -143,7 +137,6 @@ the new value) if requested.
daemons_enable_cluster_mode=1
```
-<br>
## *disable_dontaudit*
@@ -152,7 +145,6 @@ to build the policy or ***semanage dontaudit***. It indicates that a policy
has been built without the `dontaudit` rules. This allows utilities
such as ***audit2allow**(8)* to list all denials to assist debugging policy.
-<br>
## *active/file_contexts*
@@ -216,7 +208,6 @@ section.
/var/run -dsystem_u:object_r:var_run_t:s0-s15:c0.c255
/usr/tmp -dsystem_u:object_r:tmp_t:s0-s15:c0.c255
```
-<br>
### Building the File Labeling Support Files
@@ -274,7 +265,6 @@ files.*
</tbody>
</table>
-<br>
Keywords that can be in policy source \*.fc files and then form the *file_contexts.template* file entries are:
@@ -345,7 +335,6 @@ HOME_ROOT/lost\+found/.* <<none>>
/home -l gen_context(system_u:object_r:home_root_t,s0)
```
-<br>
## *active/file_contexts.local*
@@ -374,7 +363,6 @@ The resulting *file_contexts.local* file will be:
/usr/move_file system_u:object_r:unlabeled_t:s0
```
-<br>
## *active/homedir_template*
@@ -400,7 +388,6 @@ HOME_ROOT/\.journal <<none>>
HOME_DIR/.+ system_u:object_r:user_home_t:s0
```
-<br>
### *active/file_contexts.homedirs*
@@ -437,7 +424,6 @@ libsepol library function.
/home/[^/]+/.+ unconfined_u:object_r:user_home_t:s0
```
-<br>
## active/seusers
## active/seusers.local
@@ -519,7 +505,6 @@ __default__:unconfined_u:s0-s0:c0.c1023
rch:user_u:s0
```
-<br>
## *active/users_extra*
## *active/users_extra.local*
@@ -625,7 +610,6 @@ and the resulting *users.local* file will be:
user test_u roles { staff_r } level s0 range s0;
```
-<br>
## *active/interfaces.local*
@@ -649,7 +633,6 @@ in the [**`netifcon`**](network_statements.md#netifcon) section.
netifcon enp7s0 system_u:object_r:netif_t:s0:c20.c250 system_u:object_r:netif_t:s0:c20.c250
```
-<br>
## *active/nodes.local*
@@ -674,7 +657,6 @@ with examples in the policy language
nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0:c20.c250
```
-<br>
## *active/ports.local*
@@ -700,7 +682,6 @@ with examples in the policy language
portcon tcp 8888 system_u:object_r:port_t:s0:c20.c350
```
-<br>
## Set domain permissive mode
@@ -720,7 +701,6 @@ Note that the CIL `typepermissive` statement is used, the equivalent kernel
policy statement would be [**`permissive`**](type_statements.md#permissive).
-<br>
<!-- %CUTHERE% -->
diff --git a/src/policy_validation_example.md b/src/policy_validation_example.md
index 50375ab..19a380d 100644
--- a/src/policy_validation_example.md
+++ b/src/policy_validation_example.md
@@ -93,7 +93,6 @@ options as described in the
[**Global Configuration Files** - *semanage.conf*](global_config_files.md#etcselinuxsemanage.conf)
file section.
-<br>
<!-- %CUTHERE% -->
diff --git a/src/polyinstantiation.md b/src/polyinstantiation.md
index cd740fa..cf2b889 100644
--- a/src/polyinstantiation.md
+++ b/src/polyinstantiation.md
@@ -23,7 +23,6 @@ To clarify polyinstantiation support:
function of the XSELinux Object Manager and the supporting XACE
service.
-<br>
## Polyinstantiated Objects
@@ -34,7 +33,6 @@ libselinux API functions. These are not limited to specific object
classes, however only `dir`, `x_selection` and `x_property` objects are
currently supported.
-<br>
## Polyinstantiation support in PAM
@@ -104,7 +102,6 @@ instance, and the user name. If a new instance is being set up, the
directory permissions are set and the ***restorecon**(8)* command is run
to set the correct file contexts.
-<br>
#### *namespace.conf* Configuration File
@@ -140,7 +137,6 @@ Where:
</tbody>
</table>
-<br>
### Example Configurations
@@ -207,7 +203,6 @@ following polyinstantiated directories:
/home/rch/rch.inst/unconfined_u:unconfined_r:unconfined_t_rch
```
-<br>
## Polyinstantiation support in X-Windows
@@ -217,7 +212,6 @@ objects as discussed in the
[**SELinux X-Windows Support**](x_windows.md#x-windows-selinux-support)
section.
-<br>
## Polyinstantiation support in the Reference Policy
@@ -231,7 +225,6 @@ The polyinstantiation of X-Windows objects (*x_selection* and
*x_property*) are not currently supported by the reference policy.
-<br>
<!-- %CUTHERE% -->
diff --git a/src/rbac.md b/src/rbac.md
index 25a4e07..b051d09 100644
--- a/src/rbac.md
+++ b/src/rbac.md
@@ -23,7 +23,6 @@ Some policies, for example Android, only make use of one role called `r`.
access via user, role and domain type association.*
-<br>
<!-- %CUTHERE% -->
diff --git a/src/reference_policy.md b/src/reference_policy.md
index b51f4b1..4d4fd5d 100644
--- a/src/reference_policy.md
+++ b/src/reference_policy.md
@@ -26,7 +26,6 @@ In most documentation the policy name is defined using the
*/etc/selinux/config* file entry **SELINUXTYPE=**. This part of the Notebook
uses both forms.
-<br>
### Reference Policy Overview
@@ -70,7 +69,6 @@ section explains a simple build from source.
**Figure 26: The Reference Policy Source Tree** - *When building a modular policy, files are added to the policy store. For monolithic builds the policy store is not used.*
-<br>
The Reference Policy can be used to build two policy types:
@@ -93,7 +91,6 @@ forming a single 'base' source file.
The Reference Policy relies heavily on the ***m4**(1)* macro processor
as the majority of supporting services are m4 macros.
-<br>
### Distributing Policies
@@ -135,7 +132,6 @@ The selinux-policy-sandbox rpm contains the sandbox module for use by the
*policycoreutils-sandbox* package. This will be installed as a module for
one of the three main policies described above.
-<br>
### Policy Functionality
@@ -150,7 +146,6 @@ the *SELINUXTYPE* entry of the *build.conf* as shown in
and can also confine other areas and users.
- mls - MLS policy for server based systems.
-<br>
### Reference Policy Module Files
@@ -313,7 +308,6 @@ interface(`ada_run',`
/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0)
```
-<br>
### Reference Policy Documentation
@@ -342,7 +336,6 @@ the ada module interfaces.
**Figure 27: Example Documentation Screen Shot**
-<br>
## Reference Policy Source
@@ -356,7 +349,6 @@ updated with the authors comments as necessary). There is also a VERSION
file that contains the Reference Policy release date, this can then be used to
obtain a change list <https://github.com/SELinuxProject/refpolicy/releases>.
-<br>
### Source Layout
@@ -382,7 +374,6 @@ The
section then describes how the initial source is installed and
configured to allow a policy to be built.
-<br>
### Reference Policy Files and Directories
@@ -542,14 +533,12 @@ modular policy is being built. This file is explained in the
**Table 1: The Reference Policy Files and Directories**
-<br>
### Source Configuration Files
There are two major configuration files (build.conf and modules.conf)
that define the policy to be built and are detailed in this section.
-<br>
#### Reference Policy Build Options - build.conf
@@ -656,7 +645,6 @@ policy is built with examples shown in the
**Table 2:** *build.conf* **Entries**
-<br>
<table>
<tbody>
@@ -715,7 +703,6 @@ policy is built with examples shown in the
**Table 3: m4 parameters set at build time** - *These have been extracted from the Reference Policy Makefile.*
-<br>
#### Reference Policy Build Options - policy/modules.conf
@@ -917,7 +904,6 @@ reference policy are different)
**Table 4: Mandatory modules.conf Entries**
-<br>
##### Building the modules.conf File
@@ -931,7 +917,6 @@ As will be seen in the
pre-configured files that are used to produce the required policy including
multiple versions of the *modules.conf* file.
-<br>
### Source Installation and Build Make Options
@@ -1065,7 +1050,6 @@ taken from the *README* file.
**Table 7: Monolithic Policy Build Make Targets**
-<br>
### Booleans, Global Booleans and Tunable Booleans
@@ -1093,7 +1077,6 @@ built and used as follows:
</tbody>
</table>
-<br>
### Modular Policy Build Structure
@@ -1222,7 +1205,6 @@ in **Table 9: Module Build**.
**Table 8: Base Module Build** - *This shows the temporary build files used to build the base module 'base.conf' as a part of the 'make' process. Note that the modules marked as base in modules.conf are built here.*
-<br>
<table>
<tbody>
@@ -1260,7 +1242,6 @@ in **Table 9: Module Build**.
**Table 9: Module Build** - *This shows the module files and the temporary build files used to build each module as a part of the 'make' process (i.e. those modules marked as module in modules.conf).*
-<br>
### Creating Additional Layers
@@ -1284,7 +1265,6 @@ completed:
`<summary>ABC modules for the XYZ components.</summary>`
-<br>
## Installing and Building the Reference Policy Source
@@ -1294,7 +1274,6 @@ the Fedora targeted policy. The Fedora version of the targeted
policy build is discussed but building without using the rpm spec file
is more complex.
-<br>
### Building Standard Reference Policy
@@ -1435,7 +1414,6 @@ WERROR = n
as ***apol**(8)* or loaded by editing the */etc/selinux/config*
file, running '*touch /.autorelabel*' and rebooting the system.
-<br>
### Building the Fedora Policy
@@ -1605,7 +1583,6 @@ QUIET = n
'*touch /.autorelabel*' and rebooting the system. It should have the
same number of rules, types, classes etc. as the original release.
-<br>
## Reference Policy Headers
@@ -1642,7 +1619,6 @@ source two steps are required:
- Copy the module interface files (*.if*) to the relevant module
directories at: */usr/share/selinux/<SELINUXTYPE>/include/modules*.
-<br>
### Using the Reference Policy Headers
@@ -1711,7 +1687,6 @@ modules built from headers.
**Table 10: Header Policy Build Make Targets**
-<br>
### Using Fedora Supplied Headers
@@ -1727,7 +1702,6 @@ manner as Fedora installs:
- The documentation is installed in the
*/usr/share/doc/selinux-policy/html* directory.
-<br>
## Reference Policy Support Macros
@@ -1876,7 +1850,6 @@ Incorrect:
`policy_module (ftp, 1.7.0)`
-<br>
### Loadable Policy Macros
@@ -1961,7 +1934,6 @@ require {
}
```
-<br>
#### `gen_require` Macro
@@ -2025,7 +1997,6 @@ require {
}
```
-<br>
#### `optional_policy` Macro
@@ -2193,7 +2164,6 @@ optional {
} # end optional
```
-<br>
#### `gen_tunable` Macro
@@ -2271,7 +2241,6 @@ gen_tunable(allow_ftpd_use_nfs, false)
bool allow_ftpd_use_nfs false;
```
-<br>
#### `tunable_policy` Macro
@@ -2349,7 +2318,6 @@ if (allow_ftpd_use_nfs && allow_ftpd_anon_write) {
} # end allow_ftpd_use_nfs && allow_ftpd_anon_write
```
-<br>
#### `interface` Macro
@@ -2470,7 +2438,6 @@ optional {
} # end optional
```
-<br>
#### `template` Macro
@@ -2624,7 +2591,6 @@ template(`djbdns_daemontools_domain_template',`
##### end djbdns_daemontools_domain_template(dnscache) depth: 0
```
-<br>
### Miscellaneous Macros
@@ -2693,7 +2659,6 @@ where it is used to set the files security context.
/dev/\.tmp-block-.* -c system_u:object_r:fixed_disk_device_t:s15:c0.c1023
```
-<br>
#### `gen_user` Macro
@@ -2790,7 +2755,6 @@ user root roles { sysadm_r staff_r secadm_r auditadm_r } level s0 range s0 - s15
user root prefix sysadm;
```
-<br>
#### `gen_bool` Macro
@@ -2924,7 +2888,6 @@ if( ! secure_mode_insmod ) {
}
```
-<br>
### MLS and MCS Macros
@@ -2997,7 +2960,6 @@ category c1;
category c1023;
```
-<br>
#### `gen_sens` Macro
@@ -3066,7 +3028,6 @@ sensitivity s1;
sensitivity s15;
```
-<br>
#### `gen_levels` Macro
@@ -3137,7 +3098,6 @@ level s1:c0.c1023;
level s15:c0.c1023;
```
-<br>
#### System High/Low Parameters
@@ -3183,14 +3143,12 @@ s0:c0.c1023
c0.c1023
```
-<br>
### `ifdef` / `ifndef` Parameters
This section contains examples of the common `ifdef` / `ifndef`
parameters that can be used in module source files.
-<br>
#### `hide_broken_symptoms`
@@ -3212,7 +3170,6 @@ ifdef(`hide_broken_symptoms',`
')
```
-<br>
#### `enable_mls` and `enable_mcs`
@@ -3241,7 +3198,6 @@ ifdef(`enable_mcs',`
')
```
-<br>
#### `enable_ubac`
@@ -3272,7 +3228,6 @@ define(`basic_ubac_conditions',`
')
```
-<br>
#### `direct_sysadm_daemon`
@@ -3296,7 +3251,6 @@ ifndef(`direct_sysadm_daemon',`
')
```
-<br>
## Module Expansion Process
@@ -3326,7 +3280,6 @@ section.
**Figure 29: The expansion process**
-<br>
<!-- %CUTHERE% -->
diff --git a/src/role_statements.md b/src/role_statements.md
index de86c8b..36fe4c3 100644
--- a/src/role_statements.md
+++ b/src/role_statements.md
@@ -91,7 +91,6 @@ role user_r types user_t;
role user_r types chfn_t;
```
-<br>
## `attribute_role`
@@ -155,7 +154,6 @@ attribute_role role_list_1;
attribute_role srole_list_2;
```
-<br>
## `roleattribute`
@@ -226,7 +224,6 @@ role service_r;
roleattribute service_r role_list_1;
```
-<br>
## `allow`
@@ -297,7 +294,6 @@ Note that the role allow rule has the same keyword as the allow AV rule.
allow sysadm_r secadm_r;
```
-<br>
## `role_transition`
@@ -371,7 +367,6 @@ Or from Policy version 25:
`role_transition system_r unconfined_exec_t:process unconfined_r;`
-<br>
## `dominance` - Deprecated
@@ -452,7 +447,6 @@ Where:
dominance { role message_filter_r { role unconfined_r };}
```
-<br>
<!-- %CUTHERE% -->
diff --git a/src/seandroid.md b/src/seandroid.md
index 6cfa960..d9a184c 100644
--- a/src/seandroid.md
+++ b/src/seandroid.md
@@ -42,7 +42,6 @@ The sections that follow cover:
8. Logging and auditing
9. Configuration file formats
-<br>
## SE for Android Project Updates
@@ -198,7 +197,6 @@ Build information for each device that includes device specific policy as
discussed in the [**The SELinux Policy**](#the-selinux-policy) and
[**Managing Device Policy Files**](#managing-device-policy-files) sections.
-<br>
## Kernel LSM / SELinux Support
@@ -222,7 +220,6 @@ Kernel 5.0+ supports Dynamically Allocated Binder Devices, therefore
configuring specific devices (e.g. **CONFIG_ANDROID_BINDER_DEVICES="binder"**)
is no longer required (use ***CONFIG_ANDROID_BINDERFS=y*** instead).
-<br>
## Android Classes & Permissions
@@ -466,7 +463,6 @@ not all are required for Android.
</tbody>
</table>
-<br>
## SELinux Commands
@@ -529,7 +525,6 @@ for example:
</tbody>
</table>
-<br>
## SELinux Public Methods
@@ -633,7 +628,6 @@ TV package *AboutFragment.java* calls **SELinux.isSELinuxEnabled()**.
</tbody>
</table>
-<br>
## Android Init Language SELinux Extensions
@@ -680,7 +674,6 @@ service ueventd /system/bin/ueventd
restorecon --recursive --skip-ce /data
```
-<br>
## The SELinux Policy
@@ -978,7 +971,6 @@ domains (not allowed) and `neverallow` assertions
**version_policy** - Takes the given public platform policy, a private policy
and a version number to produced a combined "versioned" policy file.
-<br>
## Logging and Auditing
@@ -1002,7 +994,6 @@ in the kernel buffers that can be read using ***dmesg**(1)*:
`adb shell dmesg`
-<br>
## Policy File Formats
@@ -1117,7 +1108,6 @@ example taken from *device/generic/goldfish/fstab.ranchu*:
/dev/block/pci/pci0000:00/0000:00:06.0/by-name/metadata /metadata ext4 .....
```
-<br>
### ***seapp_contexts***
@@ -1367,7 +1357,6 @@ LABEL USER PID PPID NAME
u:r:untrusted_app:s0:c149,c256,c512,c768 u0_a149 1138 64 com.example.myapplication
```
-<br>
### ***property_contexts***
@@ -1410,7 +1399,6 @@ ro.telephony.call_ring.multiple u:object_r:telephony_config_prop:s0 exact bool
ro.telephony.default_cdma_sub u:object_r:telephony_config_prop:s0 exact int
```
-<br>
### ***service_contexts***
@@ -1460,7 +1448,6 @@ manager u:object_r:service_manager_vndservice:s0
* u:object_r:default_android_vndservice:s0
```
-<br>
### ***mac_permissions.xml***
@@ -1548,7 +1535,6 @@ file:
</signer>
```
-<br>
### ***keys.conf***
@@ -1590,7 +1576,6 @@ USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
```
-<br>
<!-- %CUTHERE% -->
diff --git a/src/security_context.md b/src/security_context.md
index 936e6a5..bb219cb 100644
--- a/src/security_context.md
+++ b/src/security_context.md
@@ -114,7 +114,6 @@ unconfined_u:object_r:out_file_t Message-11
# (see the process example above). The role remained as object_r.
```
-<br>
<!-- %CUTHERE% -->
diff --git a/src/selinux_cmds.md b/src/selinux_cmds.md
index 9bbeb32..077ffb6 100644
--- a/src/selinux_cmds.md
+++ b/src/selinux_cmds.md
@@ -153,7 +153,6 @@ has a page that details all the available tools and commands at:
</table>
-<br>
<!-- %CUTHERE% -->
diff --git a/src/selinux_overview.md b/src/selinux_overview.md
index 10de4dc..0fa89b9 100644
--- a/src/selinux_overview.md
+++ b/src/selinux_overview.md
@@ -43,7 +43,6 @@ locations as follows:
</tbody>
</table>
-<br>
## Is SELinux useful
@@ -125,7 +124,6 @@ The following maybe useful in providing a practical view of SELinux:
4. Older NSA documentation at: <https://www.nsa.gov/what-we-do/research/selinux/documentation/>
that is informative.
-<br>
<!-- %CUTHERE% -->
diff --git a/src/sid_statement.md b/src/sid_statement.md
index 4e64b68..cbb3ec9 100644
--- a/src/sid_statement.md
+++ b/src/sid_statement.md
@@ -71,7 +71,6 @@ sid unlabeled
sid fs
```
-<br>
## `sid context`
@@ -148,7 +147,6 @@ sid unlabeled
sid unlabeled system_u:object_r:unlabeled_t:s15:c0.c255
```
-<br>
<!-- %CUTHERE% -->
diff --git a/src/subjects.md b/src/subjects.md
index c3a3338..99459a1 100644
--- a/src/subjects.md
+++ b/src/subjects.md
@@ -37,7 +37,6 @@ under `semanage_t`).
**Untrusted** - Everything else.
-<br>
<section class="footnotes">
<ol>
@@ -46,7 +45,6 @@ under `semanage_t`).
</section>
-<br>
<!-- %CUTHERE% -->
diff --git a/src/terminology.md b/src/terminology.md
index c180633..59e9c0f 100644
--- a/src/terminology.md
+++ b/src/terminology.md
@@ -37,7 +37,6 @@
| UID | User Identifier |
| XACE | X (windows) Access Control Extension |
-<br>
## Terminology
@@ -118,7 +117,6 @@ core SELinux infrastructure.
</table>
-<br>
<!-- %CUTHERE% -->
diff --git a/src/title.md b/src/title.md
index a686d52..68a4eb1 100644
--- a/src/title.md
+++ b/src/title.md
@@ -80,7 +80,6 @@ Android.
**Object Classes and Permissions** - Describes the SELinux object
classes and permissions.
-<br>
<!-- %CUTHERE% -->
diff --git a/src/toc.md b/src/toc.md
index 5595512..70ffc9c 100644
--- a/src/toc.md
+++ b/src/toc.md
@@ -61,7 +61,6 @@
- [Appendix D - Debugging Policy - Hints and Tips](debug_policy_hints.md#appendix-d---debugging-policy---hints-and-tips)
- [Appendix E - Policy Validation Example](policy_validation_example.md#appendix-e---policy-validation-example)
-<br>
<!-- %CUTHERE% -->
diff --git a/src/type_enforcement.md b/src/type_enforcement.md
index 6828404..898dae7 100644
--- a/src/type_enforcement.md
+++ b/src/type_enforcement.md
@@ -54,7 +54,6 @@ any SELinux service (i.e. it is only used to identify the type
component), although as explained above CIL with namespaces does make
identification of types easier.
-<br>
### Constraints
@@ -85,7 +84,6 @@ The kernel policy language constraints are defined in the
[**Constraint Statements**](constraint_statements.md#constraint-statements)
section.
-<br>
### Bounds
@@ -102,7 +100,6 @@ section defines the `typebounds` rule and also gives a summary of the
`userbounds` and `rolebounds` rules.
-<br>
<!-- %CUTHERE% -->
diff --git a/src/types_of_policy.md b/src/types_of_policy.md
index cbb755a..dcbe573 100644
--- a/src/types_of_policy.md
+++ b/src/types_of_policy.md
@@ -31,7 +31,6 @@ The type of SELinux policy can described in a number of ways:
As can be seen the description of a policy can vary depending on the
context.
-<br>
## Reference Policy
@@ -57,7 +56,6 @@ number of RPMs.
The Reference Policy can be built as a Monolithic policy or as a Modular policy
that has a 'base module' with zero or more optional 'loadable modules'.
-<br>
## Policy Functionality Based on Name or Type
@@ -95,7 +93,6 @@ The *NAME* and *TYPE* entries are defined in the reference policy
[**Source Configuration Files**](reference_policy.md#source-configuration-files)
section.
-<br>
## Custom Policy
@@ -121,7 +118,6 @@ classes/permissions (see kernel *Documentation/admin-guide/LSM/SELinux.rst*
for build instructions, also the
[**Notebook Sample Policy - README**](./notebook-examples/selinux-policy/README.md)).
-<br>
## Monolithic Policy
@@ -137,7 +133,6 @@ The Reference Policy supports building of monolithic policies.
In some cases the kernel policy binary file is also called a monolithic policy.
-<br>
## Loadable Module Policy
@@ -171,7 +166,6 @@ into the final [**binary policy**](#policy-versions) for loading into
the kernel, see
"[**SELinux Policy Module Primer**](http://securityblog.org/brindle/2006/07/05/selinux-policy-module-primer/)".
-<br>
### Optional Policy
@@ -180,7 +174,6 @@ The loadable module policy infrastructure supports an
allows policy rules to be defined but only enabled in the binary policy once
the conditions have been satisfied.
-<br>
## Conditional Policy
@@ -204,7 +197,6 @@ the state of the boolean value or values. See the
[**Conditional Policy Statements**](conditional_statements.md#conditional-policy-statements)
section.
-<br>
## Binary Policy
@@ -233,7 +225,6 @@ is supported by Fedora):
*/etc/selinux/targeted/policy/policy.32*
-<br>
## Policy Versions
@@ -381,7 +372,6 @@ quoted (some SELinux utilities give both version numbers).
**Table 1: Policy version descriptions**
-<br>
<!-- %CUTHERE% -->
diff --git a/src/users.md b/src/users.md
index 44ffb7b..48ffa36 100644
--- a/src/users.md
+++ b/src/users.md
@@ -25,7 +25,6 @@ the [**Type Enforcement (TE)**](type_enforcement.md#type-enforcement) section.
Some policies, for example Android, only make use of one user called `u`.
-<br>
<!-- %CUTHERE% -->
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [RFC,selinux-notebook PATCH 13/18] all: unify example formatting (scripts, code, policy, etc) in markdown
2020-08-04 1:33 [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Paul Moore
` (11 preceding siblings ...)
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 12/18] all: remove all the <br> tags we haven't gotten to yet Paul Moore
@ 2020-08-04 1:34 ` Paul Moore
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 15/18] all: consolidate multiple blank lines into one Paul Moore
` (4 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Paul Moore @ 2020-08-04 1:34 UTC (permalink / raw)
To: selinux
While the impact to the rendered markdown, HTML, and PDF is minimal,
this provides a more consistent look-and-feel when reading the raw
markdown.
The following script was used to do the conversion:
for i in *.md; do
sed 's/^[ \t]*`\([^`]\+\)`[ \t]*$/```\n\1\n```/p' -i $i
done
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
src/apache_support.md | 4 +-
src/avc_rules.md | 4 +-
src/bounds_rules.md | 4 +-
src/class_permission_statements.md | 12 ++++-
src/computing_security_contexts.md | 4 +-
src/conditional_statements.md | 8 +++-
src/configuration_files.md | 4 +-
src/constraint_statements.md | 20 +++++++--
src/default_rules.md | 16 +++++--
src/domain_object_transitions.md | 44 +++++++++++++++-----
src/file_labeling_statements.md | 16 +++++--
src/implementing_seaware_apps.md | 4 +-
src/infiniband_statements.md | 16 +++++--
src/lsm_selinux.md | 12 ++++-
src/mls_statements.md | 32 +++++++++++---
src/modular_policy_statements.md | 12 ++++-
src/network_statements.md | 52 ++++++++++++++++++-----
src/network_support.md | 28 +++++++++----
src/pam_login.md | 4 +-
src/policy_config_files.md | 80 +++++++++++++++++++++++++++---------
src/policy_config_statements.md | 4 +-
src/policy_store_config_files.md | 52 ++++++++++++++++++-----
src/policy_validation_example.md | 8 +++-
src/polyinstantiation.md | 4 +-
src/postgresql.md | 4 +-
src/reference_policy.md | 80 +++++++++++++++++++++++++++---------
src/role_statements.md | 36 ++++++++++++----
src/seandroid.md | 28 +++++++++----
src/security_context.md | 4 +-
src/sid_statement.md | 8 +++-
src/type_enforcement.md | 8 +++-
src/type_statements.md | 36 ++++++++++++----
src/types_of_policy.md | 4 +-
src/user_statements.md | 8 +++-
src/userspace_libraries.md | 8 +++-
src/vm_support.md | 12 ++++-
src/x_windows.md | 4 +-
src/xen_statements.md | 32 +++++++++++---
src/xperm_rules.md | 8 +++-
39 files changed, 543 insertions(+), 181 deletions(-)
diff --git a/src/apache_support.md b/src/apache_support.md
index 22ce966..d74695a 100644
--- a/src/apache_support.md
+++ b/src/apache_support.md
@@ -7,7 +7,9 @@ library and policy that will allow finer grained access control when
using Apache with threads. The additional Apache module is called
`mod_selinux.so` and has a supporting policy module called `mod_selinux.pp`.
-`dnf install mod_selinux`
+```
+dnf install mod_selinux
+```
The `mod_selinux` policy module makes use of the `typebounds` statement that
was introduced into version 24 of the policy (requires a minimum kernel of
diff --git a/src/avc_rules.md b/src/avc_rules.md
index de8e9c3..d200caf 100644
--- a/src/avc_rules.md
+++ b/src/avc_rules.md
@@ -20,7 +20,9 @@ section.
**The common format for Access Vector Rules are:**
-`rule_name source_type target_type : class perm_set;`
+```
+rule_name source_type target_type : class perm_set;
+```
**Where:**
diff --git a/src/bounds_rules.md b/src/bounds_rules.md
index e890955..4aa68c4 100644
--- a/src/bounds_rules.md
+++ b/src/bounds_rules.md
@@ -23,7 +23,9 @@ context associated to threads in multi-threaded applications.
**The statement definition is:**
-`typebounds bounding_domain bounded_domain;`
+```
+typebounds bounding_domain bounded_domain;
+```
**Where:**
diff --git a/src/class_permission_statements.md b/src/class_permission_statements.md
index eb42b1f..29cf855 100644
--- a/src/class_permission_statements.md
+++ b/src/class_permission_statements.md
@@ -22,7 +22,9 @@ There are two variants of the `class` statement for writing policy:
Object classes are declared within a policy with the following statement
definition:
-`class class_id`
+```
+class class_id
+```
**Where:**
@@ -95,7 +97,9 @@ Declare a `common` identifier and associate one or more `common` permissions.
The statement definition is:
-`common common_id { perm_set }`
+```
+common common_id { perm_set }
+```
**Where:**
@@ -158,7 +162,9 @@ Inherit and / or associate permissions to a perviously declared `class` identifi
**The statement definition is:**
-`class class_id [ inherits common_set ] [ { perm_set } ]`
+```
+class class_id [ inherits common_set ] [ { perm_set } ]
+```
**Where:**
diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md
index 100a8cf..807c4f7 100644
--- a/src/computing_security_contexts.md
+++ b/src/computing_security_contexts.md
@@ -124,7 +124,9 @@ language statement as they are mounted, they are based on the filesystem
type name (e.g. `ext4`) and their behaviour (e.g. `xattr`). For example
if the policy specifies the following:
-`fs_use_task pipefs system_u:object_r:fs_t:s0`
+```
+fs_use_task pipefs system_u:object_r:fs_t:s0
+```
then as the `pipefs` filesystem is being mounted, the SELinux LSM
security hook `selinux_set_mnt_opts` will call `security_fs_use`
diff --git a/src/conditional_statements.md b/src/conditional_statements.md
index 00159b6..218e1fc 100644
--- a/src/conditional_statements.md
+++ b/src/conditional_statements.md
@@ -66,7 +66,9 @@ initial state (`true` or `false`) that can then be used with the
**The statement definition is:**
-`bool bool_id default_value;`
+```
+bool bool_id default_value;
+```
**Where:**
@@ -148,7 +150,9 @@ are:
**The statement definition is:**
-`if (conditional_expression) { true_list } [ else { false_list } ]`
+```
+if (conditional_expression) { true_list } [ else { false_list } ]
+```
**Where:**
diff --git a/src/configuration_files.md b/src/configuration_files.md
index 10092c6..9cb97cd 100644
--- a/src/configuration_files.md
+++ b/src/configuration_files.md
@@ -157,7 +157,9 @@ format. This is achieved via a *pp* to CIL high level language
conversion utility located at */usr/libexec/selinux/hll/pp*. This
utility can be used manually as follows:
- `cat module_name.pp | /usr/libexec/selinux/hll/pp > module_name.cil`
+```
+cat module_name.pp | /usr/libexec/selinux/hll/pp > module_name.cil
+```
There is no man page for '*pp*', however the help text is as follows:
diff --git a/src/constraint_statements.md b/src/constraint_statements.md
index 9708306..e2c088f 100644
--- a/src/constraint_statements.md
+++ b/src/constraint_statements.md
@@ -8,7 +8,9 @@ source and target types, roles and users as described in the examples.
**The statement definition is:**
-`constrain class perm_set expression;`
+```
+constrain class perm_set expression;
+```
**Where:**
@@ -185,7 +187,9 @@ Note there are no `validatetrans` statements specified within the
**The statement definition is:**
-`validatetrans class expression;`
+```
+validatetrans class expression;
+```
**Where:**
@@ -266,7 +270,9 @@ Note there are no `validatetrans` statements specified within the
**Example:**
-`validatetrans { file } { t1 == unconfined_t );`
+```
+validatetrans { file } { t1 == unconfined_t );
+```
## `mlsconstrain`
@@ -278,7 +284,9 @@ in the examples.
**The statement definition is:**
-`mlsconstrain class perm_set expression;`
+```
+mlsconstrain class perm_set expression;
+```
**Where:**
@@ -405,7 +413,9 @@ third `u3.r3.t3` is the context of the process performing the transition.
**The statement definition is:**
-`mlsvalidatetrans class expression;`
+```
+mlsvalidatetrans class expression;
+```
**Where:**
diff --git a/src/default_rules.md b/src/default_rules.md
index e759a84..336d161 100644
--- a/src/default_rules.md
+++ b/src/default_rules.md
@@ -12,7 +12,9 @@ Requires policy version 27.
**The statement definition is:**
-`default_user class default;`
+```
+default_user class default;
+```
**Where:**
@@ -86,7 +88,9 @@ Requires policy version 27.
**The statement definition is:**
-`default_role class default;`
+```
+default_role class default;
+```
**Where:**
@@ -160,7 +164,9 @@ Requires policy version 28.
**The statement definition is:**
-`default_type class default;`
+```
+default_type class default;
+```
**Where:**
@@ -240,7 +246,9 @@ greater of the low sensitivities and the lower of the high sensitivities.
**The statement definition is:**
-`default_range class [default range] | [glblub];`
+```
+default_range class [default range] | [glblub];
+```
**Where:**
diff --git a/src/domain_object_transitions.md b/src/domain_object_transitions.md
index 2c5e45a..8882da9 100644
--- a/src/domain_object_transitions.md
+++ b/src/domain_object_transitions.md
@@ -20,14 +20,18 @@ two ways a process can define a domain transition:
themselves SELinux-aware. This is the most common method and would
be in the form of the following statement:
-`type_transition unconfined_t secure_services_exec_t : process ext_gateway_t;`
+```
+type_transition unconfined_t secure_services_exec_t : process ext_gateway_t;
+```
1. SELinux-aware applications can specify the domain of the new process
using the **libselinux** API call ***setexeccon**(3)*. To achieve
this the SELinux-aware application must also have the setexec
permission, for example:
-`allow crond_t self:process setexec;`
+```
+allow crond_t self:process setexec;
+```
However, before any domain transition can take place the policy must
specify that:
@@ -63,18 +67,24 @@ bullet numbers correspond to the numbers shown in **Figure 7: Domain Transition*
1. The *domain* needs permission to *transition* into the
`ext_gateway_t` (target) domain:
-`allow unconfined_t ext_gateway_t : process transition;`
+```
+allow unconfined_t ext_gateway_t : process transition;
+```
2. The executable file needs to be *executable* in the `unconfined_t`
(source) domain, and therefore also requires that the file is
readable:
-`allow unconfined_t secure_services_exec_t : file { execute read getattr };`
+```
+allow unconfined_t secure_services_exec_t : file { execute read getattr };
+```
3. The executable file needs an *entry point* into the
`ext_gateway_t` (target) domain:
-`allow ext_gateway_t secure_services_exec_t : file entrypoint;`
+```
+allow ext_gateway_t secure_services_exec_t : file entrypoint;
+```
These are shown in **Figure 7: Domain Transition** where `unconfined_t` forks
a child process, that then exec's the new program into a new domain
@@ -96,11 +106,15 @@ intention was to have both of these transition to their respective
domains via `type_transition` statements. The `ext_gateway_t` statement
would be:
-`type_transition unconfined_t secure_services_exec_t : process ext_gateway_t;`
+```
+type_transition unconfined_t secure_services_exec_t : process ext_gateway_t;
+```
and the `int_gateway_t` statement would be:
-`type_transition unconfined_t secure_services_exec_t : process int_gateway_t;`
+```
+type_transition unconfined_t secure_services_exec_t : process int_gateway_t;
+```
However, when linking these two loadable modules into the policy, the
following error was given:
@@ -215,7 +229,9 @@ that of its parent. For example a file is being created that requires a
different label to that of its parent directory. This can be achieved
automatically using a `type_transition` statement as follows:
-`type_transition ext_gateway_t in_queue_t:file in_file_t;`
+```
+type_transition ext_gateway_t in_queue_t:file in_file_t;
+```
The following details an object transition used in n example
*ext_gateway.conf* loadable module where by default, files would be labeled
@@ -251,16 +267,22 @@ rules, where:
1. The source domain needs permission to *add file entries into the
directory*:
-`allow ext_gateway_t in_queue_t : dir { write search add_name };`
+```
+allow ext_gateway_t in_queue_t : dir { write search add_name };
+```
2. The source domain needs permission to *create file entries*:
-`allow ext_gateway_t in_file_t : file { write create getattr };`
+```
+allow ext_gateway_t in_file_t : file { write create getattr };
+```
3. The policy can then ensure (via the SELinux kernel services) that
files created in the `in_queue` are relabeled:
-`type_transition ext_gateway_t in_queue_t : file in_file_t;`
+```
+type_transition ext_gateway_t in_queue_t : file in_file_t;
+```
An example output from a directory listing shows the resulting file
labels:
diff --git a/src/file_labeling_statements.md b/src/file_labeling_statements.md
index dad3361..cd6bd55 100644
--- a/src/file_labeling_statements.md
+++ b/src/file_labeling_statements.md
@@ -25,7 +25,9 @@ section.
**The statement definition is:**
-`fs_use_xattr fs_name fs_context;`
+```
+fs_use_xattr fs_name fs_context;
+```
**Where:**
@@ -93,7 +95,9 @@ sockets.
**The statement definition is:**
-`fs_use_task fs_name fs_context;`
+```
+fs_use_task fs_name fs_context;
+```
**Where:**
@@ -164,7 +168,9 @@ filesystem type based on transition rules.
**The statement definition is:**
-`fs_use_trans fs_name fs_context;`
+```
+fs_use_trans fs_name fs_context;
+```
**Where:**
@@ -239,7 +245,9 @@ semi-colon on this statement.
**The statement definition is:**
-`genfscon fs_name partial_path fs_context`
+```
+genfscon fs_name partial_path fs_context
+```
**Where:**
diff --git a/src/implementing_seaware_apps.md b/src/implementing_seaware_apps.md
index 244d3ac..d2cd9c4 100644
--- a/src/implementing_seaware_apps.md
+++ b/src/implementing_seaware_apps.md
@@ -224,7 +224,9 @@ The class configuration file is at:
and each entry must be added to the end of the file in the following
format:
-`class object_name # userspace`
+```
+class object_name # userspace
+```
Where ***class*** is the class keyword and *object_name* is the name of
the object. The `# userspace` is used by build scripts to detect userspace
diff --git a/src/infiniband_statements.md b/src/infiniband_statements.md
index 79c29da..6d46d37 100644
--- a/src/infiniband_statements.md
+++ b/src/infiniband_statements.md
@@ -19,7 +19,9 @@ the policy using the ***semanage ibpkey*** command that will associate the
**The statement definition is:**
-`ibpkeycon subnet pkey pkey_context`
+```
+ibpkeycon subnet pkey pkey_context
+```
**Where:**
@@ -80,7 +82,9 @@ ibpkeycon fe80:: 0-0x10 system_u:object_r:public_ibpkey_t:s0
***semanage**(8)* **Command example:**
-`semanage ibpkey -a -t default_ibpkey_t -x fe80:: 0xFFFF`
+```
+semanage ibpkey -a -t default_ibpkey_t -x fe80:: 0xFFFF
+```
The above command will produce the following file:
*/var/lib/selinux/<SELINUXTYPE>/active/ibpkeys.local*
@@ -104,7 +108,9 @@ end port to a security context.
**The statement definition is:**
-`ibendportcon device_id port_number port_context`
+```
+ibendportcon device_id port_number port_context
+```
**Where:**
@@ -165,7 +171,9 @@ ibendportcon mlx5_0 1 system_u:object_r:opensm_ibendport_t:s0
***semanage**(8)* **Command example:**
-`semanage ibendport -a -t opensm_ibendport_t -z mlx4_0 2`
+```
+semanage ibendport -a -t opensm_ibendport_t -z mlx4_0 2
+```
This command will produce the following file
*/var/lib/selinux/<SELINUXTYPE>/active/ibendports.local* in the default
diff --git a/src/lsm_selinux.md b/src/lsm_selinux.md
index d4be834..ffb4214 100644
--- a/src/lsm_selinux.md
+++ b/src/lsm_selinux.md
@@ -53,9 +53,13 @@ The basic idea behind LSM is to:
services by extending the */proc* filesystem with a security
namespace as shown in . These are located at:
- `/proc/<self|pid>/attr/<attr>`
+```
+/proc/<self|pid>/attr/<attr>
+```
- `/proc/<self|pid>/task/<tid>/attr/<attr>`
+```
+/proc/<self|pid>/task/<tid>/attr/<attr>
+```
Where `<pid>` is the process id, `<tid>` is the thread id, and `<attr>` is the
entry described in **Table 2: /proc Filesystem attribute files**.
@@ -67,7 +71,9 @@ entry described in **Table 2: /proc Filesystem attribute files**.
- Later kernels (ver ?) allow 'module stacking' where the LSM modules
can be called in a predifined order, for example:
- `lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf`
+```
+lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf
+```
It should be noted that the LSM does not provide any security services
itself, only the hooks and structures for supporting 3<sup>rd</sup>
diff --git a/src/mls_statements.md b/src/mls_statements.md
index d4a0c7f..1cc5733 100644
--- a/src/mls_statements.md
+++ b/src/mls_statements.md
@@ -3,7 +3,9 @@
The optional MLS policy extension adds an additional security context
component that consists of the following highlighted entries:
-`user:role:type:sensitivity[:category,...]- sensitivity [:category,...]`
+```
+user:role:type:sensitivity[:category,...]- sensitivity [:category,...]
+```
These consist of a mandatory hierarchical
[**sensitivity**](#sensitivity) and optional
@@ -76,7 +78,9 @@ discussed at the start of the [**MLS section**](#mls-statements).
**The definition is:**
-`low_level [ - high_level ]`
+```
+low_level [ - high_level ]
+```
**Where:**
@@ -106,7 +110,9 @@ and optional alias identifiers.
**The statement definition is:**
-`sensitivity sens_id [alias sensitivityalias_id ...];`
+```
+sensitivity sens_id [alias sensitivityalias_id ...];
+```
**Where:**
@@ -185,7 +191,9 @@ required to define the actual hierarchy between all sensitivities.
**The statement definition is:**
-`dominance { sensitivity_id ... }`
+```
+dominance { sensitivity_id ... }
+```
**Where:**
@@ -246,7 +254,9 @@ identifiers and optional alias identifiers.
**The statement definition is:**
-`category category_id [alias categoryalias_id ...];`
+```
+category category_id [alias categoryalias_id ...];
+```
**Where:**
@@ -327,7 +337,9 @@ Note there must only be one `level` statement for each
**The statement definition is:**
-`level sensitivity_id [ :category_id ];`
+```
+level sensitivity_id [ :category_id ];
+```
**Where:**
@@ -400,11 +412,15 @@ enhanced in Policy version 21 to accept other object classes.
**The statement definition is (for pre-policy version 21):**
-`range_transition source_type target_type new_range;`
+```
+range_transition source_type target_type new_range;
+```
**or (for policy version 21 and greater):**
-`range_transition source_type target_type : class new_range;`
+```
+range_transition source_type target_type : class new_range;
+```
**Where:**
diff --git a/src/modular_policy_statements.md b/src/modular_policy_statements.md
index 2918010..564c2be 100644
--- a/src/modular_policy_statements.md
+++ b/src/modular_policy_statements.md
@@ -15,7 +15,9 @@ modules within the policy.
**The statement definition is:**
-`module module_name version_number;`
+```
+module module_name version_number;
+```
**Where:**
@@ -88,7 +90,9 @@ The require statement is used for two reasons:
**The statement definition is:**
-`require { rule_list }`
+```
+require { rule_list }
+```
**Where:**
@@ -174,7 +178,9 @@ a [**`require`**](#require) statement at the start of the list.
**The statement definition is:**
-`optional { rule_list } [ else { rule_list } ]`
+```
+optional { rule_list } [ else { rule_list } ]
+```
**Where:**
diff --git a/src/network_statements.md b/src/network_statements.md
index da66612..8049aa7 100644
--- a/src/network_statements.md
+++ b/src/network_statements.md
@@ -33,14 +33,18 @@ sid port system_u:object_r:port_t:s0
IPv4 addresses are represented in dotted-decimal notation (four
numbers, each ranging from 0 to 255, separated by dots as shown:
-`192.77.188.166`
+```
+192.77.188.166
+```
### IPv6 Address Formats
IPv6 addresses are written as eight groups of four hexadecimal digits,
where each group is separated by a colon ':' as follows:
-`2001:0db8:85a3:0000:0000:8a2e:0370:7334`
+```
+2001:0db8:85a3:0000:0000:8a2e:0370:7334
+```
To shorten the writing and presentation of addresses, the following
rules apply:
@@ -48,25 +52,35 @@ rules apply:
1. Any leading zeros in a group may be replaced with a single '0' as
shown:
-`2001:db8:85a3:0:0:8a2e:370:7334`
+```
+2001:db8:85a3:0:0:8a2e:370:7334
+```
2. Any leading zeros in a group may be omitted and be replaced with two
colons '::', however this is only allowed once in an address as
follows:
-`2001:db8:85a3::8a2e:370:7334`
+```
+2001:db8:85a3::8a2e:370:7334
+```
3. The *localhost* (loopback) address can be written as:
-`0000:0000:0000:0000:0000:0000:0000:0001`
+```
+0000:0000:0000:0000:0000:0000:0000:0001
+```
Or
-`::1`
+```
+::1
+```
4. An undetermined IPv6 address i.e. all bits are zero is written as:
-`::`
+```
+::
+```
## `netifcon`
@@ -80,7 +94,9 @@ the interface to a security context.
**The statement definition is:**
-`netifcon netif_id netif_context packet_context`
+```
+netifcon netif_id netif_context packet_context
+```
**Where:**
@@ -145,7 +161,9 @@ netifcon lo system_u:object_r:lo_netif_t:s0 - s15:c0.c255 system_u:object_r:unla
***semanage**(8)* **Command example:**
-`semanage interface -a -t netif_t eth2`
+```
+semanage interface -a -t netif_t eth2
+```
This command will produce the following file in the default
<SELINUXTYPE> policy store and then activate the policy:
@@ -174,7 +192,9 @@ context.
**The statement definition is:**
-`nodecon subnet netmask node_context`
+```
+nodecon subnet netmask node_context
+```
**Where:**
@@ -244,7 +264,9 @@ nodecon ff00:: ff00:: system_u:object_r:multicast_node_t:s0 - s15:c0.c255
***semanage**(8)* **Command example:**
-`semanage node -a -t node_t -p ipv4 -M 255.255.255.255 127.0.0.2`
+```
+semanage node -a -t node_t -p ipv4 -M 255.255.255.255 127.0.0.2
+```
This command will produce the following file in the default
<SELINUXTYPE> policy store and then activate the policy:
@@ -269,7 +291,9 @@ policy using the ***semanage**(8)* 'port' command that will associate the port
**The statement definition is:**
-`portcon protocol port_number port_context`
+```
+portcon protocol port_number port_context
+```
**Where:**
@@ -335,7 +359,9 @@ portcon udp 1-599 system_u:object_r:reserved_port_t:s0
***semanage**(8)* **Command example:**
-`semanage port -a -t reserved_port_t -p udp 1234`
+```
+semanage port -a -t reserved_port_t -p udp 1234
+```
This command will produce the following file in the default
<SELINUXTYPE> policy store and then activate the policy:
diff --git a/src/network_support.md b/src/network_support.md
index b207247..63df855 100644
--- a/src/network_support.md
+++ b/src/network_support.md
@@ -40,16 +40,22 @@ SELinux filesystem as shown in the
To support peer labeling, CIPSO and CALIPSO the NetLabel tools need to
be installed:
-`dnf install netlabel_tools`
+```
+dnf install netlabel_tools
+```
To support Labeled IPSec the IPSec tools need to be installed:
-`dnf install ipsec-tools`
+```
+dnf install ipsec-tools
+```
It is also possible to use an alternative Labeled IPSec service that was
OpenSwan but is now distributed as LibreSwan:
-`dnf install libreswan`
+```
+dnf install libreswan
+```
It is important to note that the kernel must be configured to support
these services. The Fedora kernels are configured to handle all the above
@@ -246,7 +252,9 @@ the LSM infrastructure. The implementation supports:
show in **Figure 15**).
- Note that CALIPSO only supports this option, and an example
***netlabelctl**(8)* command setting a DOI of 16 is:
- `netlabelctl calipso add pass doi:16`
+```
+netlabelctl calipso add pass doi:16
+```
@@ -395,7 +403,9 @@ echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy
By default Fedora does not enable IPSEC via its default firewall configuration,
therefore the server side requires the following command:
-`firewall-cmd --add-service ipsec`
+```
+firewall-cmd --add-service ipsec
+```
There are two simple examples in the
[***notebook-examples/network/ipsec***](notebook-examples/network/README.md)
@@ -434,11 +444,15 @@ Version 4.2 of NFS supports labeling between client/server and requires
the ***exports**(5)* / ***exportfs**(8)* '*security_label*' option to
be set:
-`exportfs -o rw,no_root_squash,security_label localhost:$MOUNT`
+```
+exportfs -o rw,no_root_squash,security_label localhost:$MOUNT
+```
Labeled NFS requires kernel 3.14 and the following package installed:
-`dnf install nfs-utils`
+```
+dnf install nfs-utils
+```
Labeled NFS clients must use a consistent security policy.
diff --git a/src/pam_login.md b/src/pam_login.md
index 8d3a831..02878ab 100644
--- a/src/pam_login.md
+++ b/src/pam_login.md
@@ -37,7 +37,9 @@ section and also the ***sepermit.conf**(5)*.
The main login service related PAM configuration files (e.g. *gdm*)
consist of multiple lines of information that are formatted as follows:
-`service type control module-path arguments`
+```
+service type control module-path arguments
+```
**Where:**
diff --git a/src/policy_config_files.md b/src/policy_config_files.md
index 6ce2020..aa4f1d1 100644
--- a/src/policy_config_files.md
+++ b/src/policy_config_files.md
@@ -3,7 +3,9 @@
Each file discussed in this section is relative to the policy name as
follows:
-`/etc/selinux/<SELINUXTYPE>`
+```
+/etc/selinux/<SELINUXTYPE>
+```
All files under this area form the 'running policy' once the
[*/etc/selinux/config*](global_config_files.md#etcselinuxconfig) files
@@ -97,7 +99,9 @@ Both files have the same format and contain one or more boolean names.
**The format is:**
-`boolean_name value`
+```
+boolean_name value
+```
**Where:**
@@ -136,7 +140,9 @@ the translated name.
Each line within the substitution file *booleans.subs_dist* is:
-`policy_bool_name new_name`
+```
+policy_bool_name new_name
+```
**Where:**
@@ -181,7 +187,9 @@ The daemon will not load unless a valid MCS or MLS policy is active.
The translations can be disabled by adding the following line to the file:
-`disable = 1`
+```
+disable = 1
+```
This file will also support the display of information in colour. The
configuration file that controls this is called *secolor.conf* and is
@@ -340,7 +348,9 @@ list unless the -F flag is used (see the man pages).
**The file format is as follows:**
-`type`
+```
+type
+```
**Where:**
@@ -388,7 +398,9 @@ login applications) where:
**The file format is as follows:**
-`role:type[:range] role:type[:range] ...`
+```
+role:type[:range] role:type[:range] ...
+```
**Where:**
@@ -449,7 +461,9 @@ The end result was that as soon as enforcing mode was set, the system
got bitter and twisted. To resolve this the *default_contexts* file
entries were set to:
-`unconfined_r:unconfined_t unconfined_r:unconfined_t`
+```
+unconfined_r:unconfined_t unconfined_r:unconfined_t
+```
The login process could now set the context correctly to
`unconfined_r:unconfined_t`. Note that adding the same entry to the
@@ -491,7 +505,9 @@ The **default_type**(5) file allows SELinux-aware applications such as
**The file format is as follows:**
-`role:type`
+```
+role:type
+```
**Where:**
@@ -529,7 +545,9 @@ to allow an administrator access to the system.
**The file format is as follows:**
-`role:type[:range]`
+```
+role:type[:range]
+```
**Where:**
@@ -570,7 +588,9 @@ used by other SELinux-aware applications for the same purpose.
**The file format is as follows:**
-`user:role:type[:range]`
+```
+user:role:type[:range]
+```
**Where:**
@@ -689,7 +709,9 @@ matching of network packets - Never been used.
**Example file contents:**
-`privsep_preauth=sshd_net_t`
+```
+privsep_preauth=sshd_net_t
+```
**Supporting libselinux API functions are:**
@@ -705,7 +727,9 @@ should be used for removable devices that are not defined in the
**The file format is as follows:**
-`user:role:type[:range]`
+```
+user:role:type[:range]
+```
**Where:**
@@ -736,7 +760,9 @@ database objects and is descibed in ***selabel_db**(5)*.
**The file format is as follows:**
-`object_type object_name context`
+```
+object_type object_name context
+```
**Where:**
@@ -778,7 +804,9 @@ db_schema *.* system_u:object_r:sepgsql_schema_t:s0
**Example file contents:**
-`snapperd_data = system_u:object_r:snapperd_data_t:s0`
+```
+snapperd_data = system_u:object_r:snapperd_data_t:s0
+```
**Supporting libselinux API functions are:**
@@ -793,7 +821,9 @@ to find the type to use with tty devices when changing roles or levels.
**The file format is as follows:**
-`type`
+```
+type
+```
**Where:**
@@ -825,7 +855,9 @@ This file contains security contexts to be used by tasks run via ***systemd**(8)
**The file format is as follows:**
-`service_class = security_context`
+```
+service_class = security_context
+```
**Where:**
@@ -861,7 +893,9 @@ system-config-* applications when running from root.
**The file format is as follows:**
-`security_context`
+```
+security_context
+```
**Where:**
@@ -1058,7 +1092,9 @@ Then (for example), when ***selabel_lookup**(3)* is passed a path
*/myweb/index.html* the functions will substitute the */myweb* component
with */var/www*, with the final result being:
-`/var/www/index.html`
+```
+/var/www/index.html
+```
**Supporting libselinux API functions are:**
@@ -1078,7 +1114,9 @@ is used instead.
**The file format is as follows:**
-`media_id file_context`
+```
+media_id file_context
+```
**Where:**
@@ -1165,7 +1203,9 @@ used to retrieve default information.
**The file format is as follows:**
-`service_name:seuser_id:level`
+```
+service_name:seuser_id:level
+```
**Where:**
diff --git a/src/policy_config_statements.md b/src/policy_config_statements.md
index 4289136..351513c 100644
--- a/src/policy_config_statements.md
+++ b/src/policy_config_statements.md
@@ -10,7 +10,9 @@ continue to use the original functionality.
**The statement definition is:**
-`policycap capability;`
+```
+policycap capability;
+```
**Where:**
diff --git a/src/policy_store_config_files.md b/src/policy_store_config_files.md
index 45ff3fa..de7e9dc 100644
--- a/src/policy_store_config_files.md
+++ b/src/policy_store_config_files.md
@@ -91,7 +91,9 @@ the *tmp* directory (*/var/lib/selinux<SELINUXTYPE>/tmp*) will contain
a copy of the failed policy for inspection. An example ***semodule*** failure
message indicating the failing line number is:
-`Failed to resolve mlsconstrain statement at /var/lib/selinux/targeted/tmp/modules/400/test_mlsconstrain/cil:1`
+```
+Failed to resolve mlsconstrain statement at /var/lib/selinux/targeted/tmp/modules/400/test_mlsconstrain/cil:1
+```
## *active/commit_num*
@@ -126,7 +128,9 @@ the new value) if requested.
**Example** ***semanage boolean*** **command to modify a boolean value:**
-`semanage boolean -m --on daemons_enable_cluster_mode`
+```
+semanage boolean -m --on daemons_enable_cluster_mode
+```
**The resulting** *booleans.local* **file will be:**
@@ -235,7 +239,9 @@ files.*
**The format of these files is:**
-`pathname_regexp [file_type] security_context | <<none>>`
+```
+pathname_regexp [file_type] security_context | <<none>>
+```
**Where:**
@@ -352,7 +358,9 @@ The format of the *file_contexts.local* file is the same as the
Example ***semanage fcontext*** command to add a new entry:
-`semanage fcontext -a -t unlabeled_t /usr/move_file`
+```
+semanage fcontext -a -t unlabeled_t /usr/move_file
+```
The resulting *file_contexts.local* file will be:
@@ -452,7 +460,9 @@ The *seusers* file is built or modified when:
**The format of the** *seusers* & *seusers.local* **files are as follows:**
-`[%]user_id:seuser_id[:range]`
+```
+[%]user_id:seuser_id[:range]
+```
**Where:**
@@ -483,7 +493,9 @@ __default__:unconfined_u:s0-s0:c0.c1023
now use ***semanage login*** command to add a Linux user:
-`semanage login -a -s user_u rch`
+```
+semanage login -a -s user_u rch
+```
the resulting *seusers.local* file will be:
@@ -540,7 +552,9 @@ follows:
**The format of the** *users_extra* & *users_extra.local* **files are:**
-`user seuser_id prefix prefix_id;`
+```
+user seuser_id prefix prefix_id;
+```
**Where:**
@@ -577,7 +591,9 @@ user root prefix user;
**Example** ***semanage user*** **command to add a new SELinux user:**
-`semanage user -a -R staff_r -P staff test_u`
+```
+semanage user -a -R staff_r -P staff test_u
+```
the resulting *users_extra.local* file is as follows:
@@ -622,7 +638,9 @@ in the [**`netifcon`**](network_statements.md#netifcon) section.
**Example** ***semanage interface*** **command:**
-`semanage interface -a -t netif_t -r s0:c20.c250 enp7s0`
+```
+semanage interface -a -t netif_t -r s0:c20.c250 enp7s0
+```
**The resulting** *interfaces.local* **file will be:**
@@ -646,7 +664,9 @@ with examples in the policy language
**Example** ***semanage node*** **command:**
-`semanage node -a -M 255.255.255.255 -t node_t -r s0:c20.c250 -p ipv4 127.0.0.2`
+```
+semanage node -a -M 255.255.255.255 -t node_t -r s0:c20.c250 -p ipv4 127.0.0.2
+```
**The resulting** *nodes.local* **file will be:**
@@ -671,7 +691,9 @@ with examples in the policy language
**Example** ***semanage port*** **command:**
-`semanage port -a -t port_t -p tcp -r s0:c20.c350 8888`
+```
+semanage port -a -t port_t -p tcp -r s0:c20.c350 8888
+```
**The resulting** *ports.local* **file will be:**
@@ -690,12 +712,16 @@ module that sets the requested domain in permissive mode.
**Example** ***semanage permissive*** **command to set permissive mode:**
-`semanage permissive -a tabrmd_t`
+```
+semanage permissive -a tabrmd_t
+```
This will by default add a CIL policy module to
*active/modules/400/permissive_tabrmd_t*, that if expanded will contain:
-`(typepermissive tabrmd_t)`
+```
+(typepermissive tabrmd_t)
+```
Note that the CIL `typepermissive` statement is used, the equivalent kernel
policy statement would be [**`permissive`**](type_statements.md#permissive).
diff --git a/src/policy_validation_example.md b/src/policy_validation_example.md
index 19a380d..857a2a5 100644
--- a/src/policy_validation_example.md
+++ b/src/policy_validation_example.md
@@ -50,7 +50,9 @@ args = $@
Next try rebuilding the policy with no changes:
-`semodule -B`
+```
+semodule -B
+```
It should succeed, therefore build a module that would violate this rule:
@@ -86,7 +88,9 @@ semodule: Failed!
Now run ***sesearch*** to ensure that there is no matching rule:
-`sesearch --allow -s user_t -t shadow_t -c file`
+```
+sesearch --allow -s user_t -t shadow_t -c file
+```
Note that there are also a **\[verify module\]** and **\[verify linked\]**
options as described in the
diff --git a/src/polyinstantiation.md b/src/polyinstantiation.md
index cf2b889..bd3579c 100644
--- a/src/polyinstantiation.md
+++ b/src/polyinstantiation.md
@@ -107,7 +107,9 @@ to set the correct file contexts.
Each line in the namespace.conf file is formatted as follows:
-`polydir instance_prefix method list_of_uids`
+```
+polydir instance_prefix method list_of_uids
+```
Where:
diff --git a/src/postgresql.md b/src/postgresql.md
index f7ab1e6..8e69f3f 100644
--- a/src/postgresql.md
+++ b/src/postgresql.md
@@ -147,7 +147,9 @@ enable and manage SE-PostgreSQL:
1. This entry is mandatory to enable the *sepgsql* extension to be
loaded:
-`shared_preload_libraries = 'sepgsql'`
+```
+shared_preload_libraries = 'sepgsql'
+```
2. These entries are optional and default to '*off*'.
diff --git a/src/reference_policy.md b/src/reference_policy.md
index 4d4fd5d..73e2990 100644
--- a/src/reference_policy.md
+++ b/src/reference_policy.md
@@ -56,7 +56,9 @@ can be found at: <https://github.com/fedora-selinux/selinux-policy>
**Figure 26: The Reference Policy Source Tree** shows the layout of the
reference policy source tree, that once installed would be located at
-`/etc/selinux/<SELINUXTYPE>/src/policy`
+```
+/etc/selinux/<SELINUXTYPE>/src/policy
+```
Where the **<SELINUXTYPE>** entry is taken from the *build.conf* file
as discussed in the
@@ -740,7 +742,9 @@ ddcprobe = off
The only active lines (those without comments) contain:
-`<module_name> = base | module | off`
+```
+<module_name> = base | module | off
+```
However note that the comments are important as they form part of the
documentation when it is generated by the *make html* target.
@@ -1263,7 +1267,9 @@ completed:
will be used as a part of the documentation. An example is as
follows:
-`<summary>ABC modules for the XYZ components.</summary>`
+```
+<summary>ABC modules for the XYZ components.</summary>
+```
## Installing and Building the Reference Policy Source
@@ -1432,7 +1438,9 @@ Note: The following steps were tested on Fedora 31 with no problems.
Install the source as follows:
-`rpm -Uvh selinux-policy-<version>.src.rpm`
+```
+rpm -Uvh selinux-policy-<version>.src.rpm
+```
The *rpmbuild/SOURCES* directory contents that will be used to build a copy
of the **targeted** policy are as follows (there are other files, however
@@ -1637,7 +1645,9 @@ directory. This *Makefile* can be used to build the example modules by
using makes *-f* option as follows (assuming that the example module
files are in the local directory):
-`make -f /usr/share/selinux/<NAME>/include/Makefile`
+```
+make -f /usr/share/selinux/<NAME>/include/Makefile
+```
However there is another *Makefile* (*./policy/doc Makefile.example*)that can
be installed in the users home directory (*$HOME*) that will call the master
@@ -1844,11 +1854,15 @@ with examples shown in the [*ifdef*](#ifdef-ifndef-parameters) section.
Correct:
-`policy_module(ftp, 1.7.0)`
+```
+policy_module(ftp, 1.7.0)
+```
Incorrect:
-`policy_module (ftp, 1.7.0)`
+```
+policy_module (ftp, 1.7.0)
+```
### Loadable Policy Macros
@@ -1867,7 +1881,9 @@ classes and permissions, and optionally MCS / MLS information
****The macro definition is:****
-`policy_module(module_name,version)`
+```
+policy_module(module_name,version)
+```
**Where:**
@@ -2181,7 +2197,9 @@ used to describe the function and are extracted for the
**The macro definition is:**
-`gen_tunable(boolean_name,boolean_value)`
+```
+gen_tunable(boolean_name,boolean_value)
+```
**Where:**
@@ -2604,7 +2622,9 @@ where it is used to set the files security context.
**The macro definition is:**
-`gen_context(context[,mls | mcs])`
+```
+gen_context(context[,mls | mcs])
+```
**Where:**
@@ -2669,7 +2689,9 @@ configuration file if it exists.
**The macro definition is:**
-`gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories])`
+```
+gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories])
+```
**Where:**
@@ -2772,7 +2794,9 @@ used to describe the function and are extracted for the
**The macro definition is:**
-`gen_bool(name,default_value)`
+```
+gen_bool(name,default_value)
+```
**Where:**
@@ -2905,7 +2929,9 @@ in the current reference policy.
**The macro definition is:**
-`gen_cats(mcs_num_cats | mls_num_cats)`
+```
+gen_cats(mcs_num_cats | mls_num_cats)
+```
**Where:**
@@ -2974,7 +3000,9 @@ in the current reference policy (note that the *mcs* file has
**The macro definition is:**
-`gen_sens(mls_num_sens)`
+```
+gen_sens(mls_num_sens)
+```
**Where:**
@@ -3038,7 +3066,9 @@ that contain this macro in the current reference policy.
**The macro definition is:**
-`gen_levels(mls_num_sens,mls_num_cats)`
+```
+gen_levels(mls_num_sens,mls_num_cats)
+```
**Where:**
@@ -3103,7 +3133,9 @@ level s15:c0.c1023;
These macros define system high etc. as shown.
-`mls_systemlow`
+```
+mls_systemlow
+```
```
# gives:
@@ -3111,7 +3143,9 @@ These macros define system high etc. as shown.
s0
```
-`mls_systemhigh`
+```
+mls_systemhigh
+```
```
# gives:
@@ -3119,7 +3153,9 @@ s0
s15:c0.c1023
```
-`mcs_systemlow`
+```
+mcs_systemlow
+```
```
# gives:
@@ -3127,7 +3163,9 @@ s15:c0.c1023
s0
```
-`mcs_systemhigh`
+```
+mcs_systemhigh
+```
```
# gives:
@@ -3135,7 +3173,9 @@ s0
s0:c0.c1023
```
-`mcs_allcats`
+```
+mcs_allcats
+```
```
# gives:
diff --git a/src/role_statements.md b/src/role_statements.md
index 36fe4c3..c61d9d7 100644
--- a/src/role_statements.md
+++ b/src/role_statements.md
@@ -15,11 +15,15 @@ types with the role.
**The statement definition to declare a role is:**
-`role role_id;`
+```
+role role_id;
+```
**The statement definition to associate a role to one or more types is:**
-`role role_id types type_id;`
+```
+role role_id types type_id;
+```
**Where:**
@@ -99,7 +103,9 @@ can then be used to refer to a group of roles.
**The statement definition is:**
-`attribute_role attribute_id;`
+```
+attribute_role attribute_id;
+```
**Where:**
@@ -162,7 +168,9 @@ declared roles to one or more previously declared <code>attribute_roles</code>.
**The statement definition is:**
-`roleattribute role_id attribute_id;`
+```
+roleattribute role_id attribute_id;
+```
**Where:**
@@ -235,7 +243,9 @@ Note that the role allow rule has the same keyword as the allow AV rule.
**The statement definition is:**
-`allow from_role_id to_role_id;`
+```
+allow from_role_id to_role_id;
+```
**Where:**
@@ -303,11 +313,15 @@ version 25, the `class` can now be defined.
**The statement definition is:**
-`role_transition current_role_id type_id new_role_id;`
+```
+role_transition current_role_id type_id new_role_id;
+```
Or from Policy version 25:
-`role_transition current_role_id type_id : class new_role_id;`
+```
+role_transition current_role_id type_id : class new_role_id;
+```
**Where:**
@@ -365,7 +379,9 @@ Or from Policy version 25:
**Example:**
-`role_transition system_r unconfined_exec_t:process unconfined_r;`
+```
+role_transition system_r unconfined_exec_t:process unconfined_r;
+```
## `dominance` - Deprecated
@@ -386,7 +402,9 @@ Notes:
**The statement definition is:**
-`dominance { role dom_role_id { role role_id; } }`
+```
+dominance { role dom_role_id { role role_id; } }
+```
Where:
diff --git a/src/seandroid.md b/src/seandroid.md
index d9a184c..db0de4f 100644
--- a/src/seandroid.md
+++ b/src/seandroid.md
@@ -471,7 +471,9 @@ and are listed in . Some are available as Toolbox or Toybox commands (see
*system/core/shell_and_utilities/README.md*) and can be run via *adb shell*,
for example:
-`adb shell pm list permissions -g`
+```
+adb shell pm list permissions -g
+```
### SELinux enabled commands
@@ -854,7 +856,9 @@ will help sort out ordering issues.
Example *BoardConfig.mk* usage from the Tuna device
*device/samsung/tuna/BoardConfig.mk*:
-`BOARD_VENDOR_SEPOLICY_DIRS += device/samsung/tuna/sepolicy`
+```
+BOARD_VENDOR_SEPOLICY_DIRS += device/samsung/tuna/sepolicy
+```
Additionally, OEMs can specify BOARD_SEPOLICY_M4DEFS to pass arbitrary m4
definitions during the build. A definition consists of a string in the form
@@ -977,7 +981,9 @@ and a version number to produced a combined "versioned" policy file.
Android supports auditing of SELinux events via the AOSP logger
service that can be viewed using *logcat*, for example:
-`adb logcat > logcat.log`
+```
+adb logcat > logcat.log
+```
Example SELinux audit events (avc denials) are:
@@ -992,7 +998,9 @@ dmesg : type=1400 audit(0.0:198): avc: denied { syslog_read } for scontext=u:r
Note that before the auditing daemon is loaded, messages will be logged
in the kernel buffers that can be read using ***dmesg**(1)*:
-`adb shell dmesg`
+```
+adb shell dmesg
+```
## Policy File Formats
@@ -1018,7 +1026,9 @@ devices to specify their entries as described in the
Each line within the file consists of the following:
-`pathname_regexp [file_type] security_context`
+```
+pathname_regexp [file_type] security_context
+```
Where:
@@ -1369,7 +1379,9 @@ allowing vendors to specify their entries.
The file format is:
-`property_key security_context type value`
+```
+property_key security_context type value
+```
type = prefix or exact
value = int, double, bool or string
@@ -1413,7 +1425,9 @@ devices to specify their entries.
The file format is:
-`service_key security_context`
+```
+service_key security_context
+```
Example *service_contexts* Entries:
diff --git a/src/security_context.md b/src/security_context.md
index bb219cb..11d2387 100644
--- a/src/security_context.md
+++ b/src/security_context.md
@@ -14,7 +14,9 @@ Linux user id is mapped to the SELinux user id by configuration files),
their role, a type identifier and an optional MCS / MLS security range or
level as follows:
-`user:role:type[:range]`
+```
+user:role:type[:range]
+```
**Where:**
diff --git a/src/sid_statement.md b/src/sid_statement.md
index cbb3ec9..132adb0 100644
--- a/src/sid_statement.md
+++ b/src/sid_statement.md
@@ -14,7 +14,9 @@ the start of a policy source file.
**The statement definition is:**
-`sid sid_id`
+```
+sid sid_id
+```
**Where:**
@@ -79,7 +81,9 @@ context to the SID.
**The statement definition is:**
-`sid sid_id context`
+```
+sid sid_id context
+```
**Where:**
diff --git a/src/type_enforcement.md b/src/type_enforcement.md
index 898dae7..02fb100 100644
--- a/src/type_enforcement.md
+++ b/src/type_enforcement.md
@@ -61,7 +61,9 @@ It is possible to add constraints on users, roles, types and MLS ranges,
for example within a TE environment, the way that subjects are allowed
to access an object is via a TE [**`allow`**](avc_rules.md#allow), for example:
-`allow unconfined_t ext_gateway_t : process transition;`
+```
+allow unconfined_t ext_gateway_t : process transition;
+```
This states that a process running in the `unconfined_t` domain has
permission to transition a process to the `ext_gateway_t` domain.
@@ -71,7 +73,9 @@ domain is the same as the role of the target domain. To achieve this a
constraint can be imposed using a
[**`constrain`**](constraint_statements.md#constrain) statement:
-`constrain process transition ( r1 == r2 );`
+```
+constrain process transition ( r1 == r2 );
+```
This states that a process transition can only occur if the source role
is the same as the target role, therefore a constraint is a condition
diff --git a/src/type_statements.md b/src/type_statements.md
index 76dedab..fb7ec83 100644
--- a/src/type_statements.md
+++ b/src/type_statements.md
@@ -21,7 +21,9 @@ component of the [**Security Context**](security_context.md#security-context).
**The statement definition is:**
-`type type_id [alias alias_id] [, attribute_id];`
+```
+type type_id [alias alias_id] [, attribute_id];
+```
**Where:**
@@ -126,7 +128,9 @@ refer to a group of *type* identifiers.
**The statement definition is:**
-`attribute attribute_id;`
+```
+attribute attribute_id;
+```
**Where:**
@@ -171,7 +175,9 @@ declared types to one or more previously declared attributes.
**The statement definition is:**
-`typeattribute type_id attribute_id;`
+```
+typeattribute type_id attribute_id;
+```
**Where:**
@@ -243,7 +249,9 @@ The *typealias* statement allows the association of a previously declared
**The statement definition is:**
-`typealias type_id alias alias_id;`
+```
+typealias type_id alias alias_id;
+```
**Where:**
@@ -311,7 +319,9 @@ policy denial.
**The statement definition is:**
-`permissive type_id;`
+```
+permissive type_id;
+```
**Where:**
@@ -381,12 +391,16 @@ the transition.
**The statement definitions are:**
-`type_transition source_type target_type : class default_type;`
+```
+type_transition source_type target_type : class default_type;
+```
Policy versions 25 and above also support a 'name transition' rule
however, this is only appropriate for the file classes:
-`type_transition source_type target_type : class default_type object_name;`
+```
+type_transition source_type target_type : class default_type object_name;
+```
**Where:**
@@ -510,7 +524,9 @@ section for more details.
**The statement definition is:**
-`type_change source_type target_type : class change_type;`
+```
+type_change source_type target_type : class change_type;
+```
**Where:**
@@ -579,7 +595,9 @@ section for more details.
**The statement definition is:**
-`member_type source_type target_type : class member_type;`
+```
+member_type source_type target_type : class member_type;
+```
**Where:**
diff --git a/src/types_of_policy.md b/src/types_of_policy.md
index dcbe573..01ff1d6 100644
--- a/src/types_of_policy.md
+++ b/src/types_of_policy.md
@@ -188,7 +188,9 @@ The boolean flag status is held in kernel and can be changed using the
temporarily (i.e. only valid until a re-boot). The following example
shows a persistent conditional policy change:
-`setsebool -P ext_gateway_audit false`
+```
+setsebool -P ext_gateway_audit false
+```
The conditional policy language statements are the `bool` Statement
that defines the boolean flag identifier and its initial status, and the
diff --git a/src/user_statements.md b/src/user_statements.md
index 46f2846..7a5ff8a 100644
--- a/src/user_statements.md
+++ b/src/user_statements.md
@@ -11,11 +11,15 @@ previously declared within the policy.
**The statement definition is:**
-`user seuser_id roles role_id;`
+```
+user seuser_id roles role_id;
+```
Or for MCS/MLS Policy:
-`user seuser_id roles role_id level mls_level range mls_range;`
+```
+user seuser_id roles role_id level mls_level range mls_range;
+```
Where:
diff --git a/src/userspace_libraries.md b/src/userspace_libraries.md
index 6db6bb7..8939246 100644
--- a/src/userspace_libraries.md
+++ b/src/userspace_libraries.md
@@ -123,7 +123,9 @@ SELinux sub-system:
There is a static version of the library that is not installed by default:
-`dnf install libselinux-static`
+```
+dnf install libselinux-static
+```
## libsepol Library
@@ -132,7 +134,9 @@ binary policy files.
There is a static version of the library that is not installed by default:
-`dnf install libsepol-static`
+```
+dnf install libsepol-static
+```
This is used by commands such as ***audit2allow**(8)* and ***checkpolicy**(8)*
as they require access to functions that are not available in the dynamic
diff --git a/src/vm_support.md b/src/vm_support.md
index 09321ed..07ad32f 100644
--- a/src/vm_support.md
+++ b/src/vm_support.md
@@ -20,7 +20,9 @@ to configure VMs, then an overview of the Xen implementation follows.
To ensure all dependencies are installed run:
-`dnf install libvirt qemu virt-manager`
+```
+dnf install libvirt qemu virt-manager
+```
## KVM / QEMU Support
@@ -205,7 +207,9 @@ To overcome this error, the following boolean needs to be enabled with
***setsebool**(8)* to allow access to shared memory (the *-P* option
will set the boolean across reboots):
-`setsebool -P virt_use_execmem on`
+```
+setsebool -P virt_use_execmem on
+```
Now that the image has been configured as shareable, the following
initialisation process will take place:
@@ -274,7 +278,9 @@ enforcing mode (just so all errors are flagged during the build):
1. To set the required security context requires editing the
*Static_VM1* configuration file using ***virsh**(1)* as follows:
-`virsh edit Static_VM1`
+```
+virsh edit Static_VM1
+```
Then add the following at the end of the file:
diff --git a/src/x_windows.md b/src/x_windows.md
index 86f966e..898123c 100644
--- a/src/x_windows.md
+++ b/src/x_windows.md
@@ -121,7 +121,9 @@ following command will enable the boolean, however it will be necessary
to reload X-Windows to initialise the extension (i.e. run the **init 3**
and then **init 5** commands):
-`setsebool -P xserver_object_manager true`
+```
+setsebool -P xserver_object_manager true
+```
If the boolean is set to *false*, the x-server log will indicate
that "SELinux: Disabled by boolean". Important note - If the boolean is
diff --git a/src/xen_statements.md b/src/xen_statements.md
index 5688893..e2c4cc3 100644
--- a/src/xen_statements.md
+++ b/src/xen_statements.md
@@ -20,7 +20,9 @@ Label i/o memory. This may be a single memory location or a range.
**The statement definition is:**
-`iomemcon addr context`
+```
+iomemcon addr context
+```
**Where:**
@@ -64,7 +66,9 @@ Label i/o ports. This may be a single port or a range.
**The statement definition is:**
-`ioportcon port context`
+```
+ioportcon port context
+```
**Where:**
@@ -108,7 +112,9 @@ Label a PCI device.
**The statement definition is:**
-`pcidevicecon pci_id context`
+```
+pcidevicecon pci_id context
+```
**Where:**
@@ -140,7 +146,9 @@ Conditional Policy Statements
**Example:**
-`pcidevicecon 0xc800 system_u:object_r:nicP_t`
+```
+pcidevicecon 0xc800 system_u:object_r:nicP_t
+```
## *pirqcon*
@@ -148,7 +156,9 @@ Label an interrupt level.
**The statement definition is:**
-`pirqcon irq context`
+```
+pirqcon irq context
+```
**Where:**
@@ -180,7 +190,9 @@ Conditional Policy Statements
**Example:**
-`pirqcon 33 system_u:object_r:nicP_t`
+```
+pirqcon 33 system_u:object_r:nicP_t
+```
## *devicetreecon*
@@ -188,7 +200,9 @@ Label device tree nodes.
**The statement definition is:**
-`devicetreecon path context`
+```
+devicetreecon path context
+```
**Where:**
@@ -221,7 +235,9 @@ Conditional Policy Statements
**Example:**
-`devicetreecon "/this is/a/path" system_u:object_r:arm_path`
+```
+devicetreecon "/this is/a/path" system_u:object_r:arm_path
+```
<!-- %CUTHERE% -->
diff --git a/src/xperm_rules.md b/src/xperm_rules.md
index 21878ea..7f8744b 100644
--- a/src/xperm_rules.md
+++ b/src/xperm_rules.md
@@ -12,7 +12,9 @@ libsepol 2.7 minimum is required).
**The common format for Extended Access Vector Rules are:**
-`rule_name source_type target_type : class operation xperm_set;`
+```
+rule_name source_type target_type : class operation xperm_set;
+```
**Where:**
@@ -82,7 +84,9 @@ versions < 30 only controls whether an *ioctl* permission is allowed
or not, for example this rule allows the object class *tcp_socket* the
*ioctl* permission:
-`allow src_t tgt_t : tcp_socket ioctl;`
+```
+allow src_t tgt_t : tcp_socket ioctl;
+```
From Policy version 30 it is possible to control ***ioctl**(2)*
'*request*' parameters provided the *ioctl* permission is also allowed,
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [RFC,selinux-notebook PATCH 15/18] all: consolidate multiple blank lines into one
2020-08-04 1:33 [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Paul Moore
` (12 preceding siblings ...)
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 13/18] all: unify example formatting (scripts, code, policy, etc) in markdown Paul Moore
@ 2020-08-04 1:34 ` Paul Moore
2020-08-04 1:35 ` [RFC,selinux-notebook PATCH 16/18] kernel_policy_language: convert the footnotes to markdown Paul Moore
` (3 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Paul Moore @ 2020-08-04 1:34 UTC (permalink / raw)
To: selinux
This has zero impact on the rendered formats, but improves the
consistency of the raw markdown. Done with the following script:
for i in *.md; do
sed -i 'N;/^\n$/D;P;D;' $i
done
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
src/apache_support.md | 5 ----
src/auditing.md | 7 -----
src/avc_rules.md | 6 ----
src/bounds_rules.md | 2 -
src/cil_overview.md | 2 -
src/class_permission_statements.md | 5 ----
src/computing_access_decisions.md | 1 -
src/computing_security_contexts.md | 15 -----------
src/conditional_statements.md | 3 --
src/configuration_files.md | 3 --
src/constraint_statements.md | 4 ---
src/core_components.md | 5 ----
src/debug_policy_hints.md | 4 ---
src/default_rules.md | 4 ---
src/domain_object_transitions.md | 4 ---
src/file_labeling_statements.md | 5 ----
src/global_config_files.md | 7 -----
src/implementing_seaware_apps.md | 6 ----
src/infiniband_statements.md | 3 --
src/kernel_policy_language.md | 8 ------
src/libselinux_functions.md | 1 -
src/lsm_selinux.md | 9 ------
src/mac.md | 3 --
src/mls_mcs.md | 9 ------
src/mls_statements.md | 10 -------
src/modes.md | 2 -
src/modular_policy_statements.md | 2 -
src/network_statements.md | 4 ---
src/network_support.md | 9 ------
src/object_classes_permissions.md | 24 -----------------
src/objects.md | 5 ----
src/pam_login.md | 2 -
src/policy_config_files.md | 43 -------------------------------
src/policy_config_statements.md | 1 -
src/policy_languages.md | 1 -
src/policy_store_config_files.md | 23 -----------------
src/policy_validation_example.md | 1 -
src/polyinstantiation.md | 8 ------
src/rbac.md | 2 -
src/reference_policy.md | 50 ------------------------------------
src/role_statements.md | 6 ----
src/seandroid.md | 18 -------------
src/security_context.md | 1 -
src/selinux_cmds.md | 2 -
src/selinux_overview.md | 2 -
src/sid_statement.md | 2 -
src/subjects.md | 3 --
src/terminology.md | 3 --
src/title.md | 1 -
src/toc.md | 1 -
src/type_enforcement.md | 4 ---
src/types_of_policy.md | 11 --------
src/users.md | 2 -
src/vm_support.md | 2 -
54 files changed, 366 deletions(-)
diff --git a/src/apache_support.md b/src/apache_support.md
index 6b794c6..8e8df1c 100644
--- a/src/apache_support.md
+++ b/src/apache_support.md
@@ -52,7 +52,6 @@ the LAPP<a href="#fnap1" class="footnote-ref" id="fnaph1"><strong><sup>1</sup></
The [A secure web application platform powered by SELinux](http://sepgsql.googlecode.com/files/LCA20090120-lapp-selinux.pdf)
document gives a good overview of the LAPP architecture.
-
## *mod_selinux* Overview
What the *mod_selinux* module achieves is to allow a web application
@@ -77,7 +76,6 @@ itself, for example:
3. The web application exits, handing control back to the web server
that replies with the HTTP response.
-
## Bounds Overview
Because multiple threads share the same memory segment, SELinux was
@@ -122,15 +120,12 @@ operation will be denied and an *SELINUX_ERR* entry will be added to
the audit log stating *op=security_compute_av reason=bounds* with
the context strings and the denied class and permissions.
-
-
<section class="footnotes">
<ol>
<li id="fnap1"><p>This is similar to the LAMP (Linux, Apache, MySQL, PHP/Perl/Python) stack, however MySQL is not SELinux-aware.<a href="#fnaph1" class="footnote-back">↩</a></p></li>
</ol>
</section>
-
<!-- %CUTHERE% -->
---
diff --git a/src/auditing.md b/src/auditing.md
index e07429a..56f2a00 100644
--- a/src/auditing.md
+++ b/src/auditing.md
@@ -40,7 +40,6 @@ Notes:
***selinux_set_callback**(3)* and specifying an alternative log
handler.
-
## AVC Audit Events
**Table 1** describes the general format of AVC audit
@@ -232,7 +231,6 @@ exe="/usr/move_file/move_file_c"
subj=unconfined_u:unconfined_r:move_file_t key=(null)
```
-
## General SELinux Audit Events
This section shows a selection of non-AVC SELinux-aware services audit
@@ -269,7 +267,6 @@ policyload notice (seqno=2) : exe="/usr/bin/Xorg" sauid=0 hostname=?
addr=? terminal=?'
```
-
Change enforcement mode - *MAC_STATUS* - This was generated when the
SELinux enforcement mode was changed:
@@ -284,7 +281,6 @@ tty=pts0 ses=2 comm="setenforce" exe="/usr/sbin/setenforce"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
```
-
Change boolean value - *MAC_CONFIG_CHANGE* - This event was generated
when ***setsebool**(8)* was run to change a boolean. Note that the
bolean name plus new and old values are shown in the
@@ -319,7 +315,6 @@ exe="/sbin/netlabelctl"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
```
-
Labeled IPSec - *MAC_IPSEC_EVENT* - Generated when running
***setkey**(8)* to load IPSec configuration:
@@ -371,7 +366,6 @@ exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0-s0:c0.c300
key=(null)
```
-
Role changes - *USER_ROLE_CHANGE* - Used ***newrole**(1)* to set a new
role that was not valid.
@@ -385,7 +379,6 @@ new-context=?: exe="/usr/bin/newrole" hostname=? addr=?
terminal=/dev/pts/0 res=failed'
```
-
<!-- %CUTHERE% -->
---
diff --git a/src/avc_rules.md b/src/avc_rules.md
index c216fc8..7572302 100644
--- a/src/avc_rules.md
+++ b/src/avc_rules.md
@@ -79,7 +79,6 @@ rule_name source_type target_type : class perm_set;
</tbody>
</table>
-
## *allow*
The allow rule checks whether the operations between the source\_type
@@ -139,7 +138,6 @@ allow bootloader_t system_dbusd_t:dbus { acquire_svc send_msg };
allow files_unconfined_type file_type:{ file chr_file } ~execmod;
```
-
## *dontaudit*
The *dontaudit* rule stops the auditing of denial messages as it is known
@@ -158,7 +156,6 @@ also helps to manage the audit log by excluding known events.
dontaudit traceroute_t { port_type -port_t }:tcp_socket name_bind;
```
-
## *auditallow*
Audit the event as a record as it is useful for auditing purposes. Note
@@ -175,7 +172,6 @@ to grant permission.
auditallow ada_t self:process execstack;
```
-
## *neverallow*
This rule specifies that an *allow* rule must not be generated for the
@@ -205,7 +201,6 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
```
-
<section class="footnotes">
<ol>
<li id="fna1"><p><code>neverallow</code> statements are allowed in modules, however to detect these the <em>semanage.conf</em> file must have the 'expand-check=1' entry present.<a href="#fnavc1" class="footnote-back">↩</a></p></li>
@@ -213,7 +208,6 @@ neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
</ol>
</section>
-
<!-- %CUTHERE% -->
---
diff --git a/src/bounds_rules.md b/src/bounds_rules.md
index 2949bc2..55a793a 100644
--- a/src/bounds_rules.md
+++ b/src/bounds_rules.md
@@ -12,7 +12,6 @@ NOT enforced by the SELinux kernel services). The
[**CIL Reference Guide**](notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf)
gives details.
-
## *typebounds*
The *typebounds* rule was added in version 24 of the policy. This
@@ -92,7 +91,6 @@ allow httpd_t etc_t : file { getattr read };
allow httpd_child_t etc_t : file { read write };
```
-
<!-- %CUTHERE% -->
---
diff --git a/src/cil_overview.md b/src/cil_overview.md
index c3e280f..aa22bff 100644
--- a/src/cil_overview.md
+++ b/src/cil_overview.md
@@ -35,7 +35,6 @@ language perspective it will:
| *allow* (role) | *roleallow* |
| *dominance* | *sensitivityorder* |
-
2. Additional CIL statements have been defined to enhance
functionality:
@@ -147,7 +146,6 @@ declarations with the order in which they are declared in the kernel.
A module store is created by *semodule* to give easy access to the
source and that allows for full control over the policy.
-
<!-- %CUTHERE% -->
---
diff --git a/src/class_permission_statements.md b/src/class_permission_statements.md
index a0a1379..4090fa0 100644
--- a/src/class_permission_statements.md
+++ b/src/class_permission_statements.md
@@ -16,7 +16,6 @@ There are two variants of the *class* statement for writing policy:
[**Associating Permissions to a Class**](#associating-permissions-to-a-class)
section.
-
## *class*
Object classes are declared within a policy with the following statement
@@ -76,7 +75,6 @@ class class_id
class db_tuple
```
-
### Associating Permissions to a Class
Permissions can be defined within policy in two ways:
@@ -90,7 +88,6 @@ Permissions can be defined within policy in two ways:
A list of classes and their permissions used by the **Reference Policy**
can be found in the *./policy/flask/access_vectors* file.
-
## *common*
Declare a *common* identifier and associate one or more *common* permissions.
@@ -155,7 +152,6 @@ common common_id { perm_set }
common database { create drop getattr setattr relabelfrom relabelto }
```
-
## *class*
Inherit and / or associate permissions to a perviously declared *class* identifier.
@@ -248,7 +244,6 @@ class db_blob inherits database
class db_blob inherits database { read write import export }
```
-
<!-- %CUTHERE% -->
---
diff --git a/src/computing_access_decisions.md b/src/computing_access_decisions.md
index ce4cf11..5ab9430 100644
--- a/src/computing_access_decisions.md
+++ b/src/computing_access_decisions.md
@@ -57,7 +57,6 @@ require kernel system call over-heads once set up. Note that these
functions are only available from *libselinux* 2.0.99, with Linux kernel
2.6.37 and above.
-
<!-- %CUTHERE% -->
---
diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md
index 1d7c975..5849375 100644
--- a/src/computing_security_contexts.md
+++ b/src/computing_security_contexts.md
@@ -46,7 +46,6 @@ various kernel objects (also see the
[**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux)
section.
-
### Process
The initial task starts with the kernel security context, but the
@@ -73,7 +72,6 @@ Processes inherit their security context as follows:
practice is generally discouraged - exec-based transitions are
preferred.
-
### Files
The default behavior for labeling files (actually inodes that consist of
@@ -111,12 +109,10 @@ SID, which is mapped to a context by the policy. This default may be
overridden via the *defcontext=* mount option on a per-mount basis as
described in ***mount**(8)*.
-
### File Descriptors
Inherits the label of its creator/parent.
-
### Filesystems
Filesystems are labeled using the appropriate *fs_use* kernel policy
@@ -164,14 +160,12 @@ Notes:
*context=*, *fscontext=*, *defcontext=* and *rootcontext=*. They are
fully described in the ***mount**(8)* man page.
-
### Network File System (nfsv4.2)
If labeled NFS is implemented with *xattr* support, then the creation of
inodes are treated as described in the [Files](#files)
section.
-
### INET Sockets
If a socket is created by the ***socket**(3)* call they are labeled as
@@ -204,12 +198,10 @@ Some sockets may be labeled with the kernel SID to reflect the fact that
they are kernel-internal sockets that are not directly exposed to
applications.
-
### IPC
Inherits the label of its creator/parent.
-
### Message Queues
Inherits the label of its sending process. However if sending a message
@@ -233,17 +225,14 @@ the message queue it will be stored in as follows:
with the selected range being low, high or low-high to be defined
for the message object class).
-
### Semaphores
Inherits the label of its creator/parent.
-
### Shared Memory
Inherits the label of its creator/parent.
-
### Keys
Inherits the label of its creator/parent.
@@ -251,7 +240,6 @@ Inherits the label of its creator/parent.
Security-aware applications may use ***setkeycreatecon**(3)* to
explicitly label keys they create if permitted by policy.
-
## Using libselinux Functions
### *avc_compute_create* and *security_compute_create*
@@ -349,7 +337,6 @@ new context *newcon* (referenced by SIDs for
**Table 1**
-
### *avc_compute_member* and *security_compute_member*
**Table 2** shows how the components from the source context,
@@ -424,7 +411,6 @@ the new context *newcon* (referenced by SIDs for
**Table 2**
-
### *security_compute_relabel*
**Table 3** below shows how the components from the source context,
@@ -502,7 +488,6 @@ following notes also apply:
**Table 3**
-
<!-- %CUTHERE% -->
---
diff --git a/src/conditional_statements.md b/src/conditional_statements.md
index 7930b45..3cf07df 100644
--- a/src/conditional_statements.md
+++ b/src/conditional_statements.md
@@ -56,7 +56,6 @@ getsebool -a
getsebool allow_daemons_use_tty
```
-
## bool
The *bool* statement is used to specify a boolean identifier and its
@@ -134,7 +133,6 @@ bool allow_execheap false;
bool allow_execstack true;
```
-
### if
The if statement is used to form a 'conditional block' of statements and
@@ -260,7 +258,6 @@ if (read_untrusted_content) {
}
```
-
<!-- %CUTHERE% -->
---
diff --git a/src/configuration_files.md b/src/configuration_files.md
index 9cb97cd..3515f1b 100644
--- a/src/configuration_files.md
+++ b/src/configuration_files.md
@@ -33,7 +33,6 @@ as follows:
viewing the currently loaded policy using tools such as
***apol**(1)* (e.g. *apol /sys/fs/selinux/policy*).
-
## The Policy Store
Version 2.7 of *libsemanage*, *libsepol*, and *policycoreutils* had the
@@ -148,7 +147,6 @@ already available, the following message will be given: "*A higher
priority <name> module exists at priority <999> and will
override the module currently being installed at priority <111>*".
-
## Converting policy packages to CIL
A component of the update is to add a facility that converts compiled
@@ -175,7 +173,6 @@ Options:
-h, --help print this message and exit
```
-
<!-- %CUTHERE% -->
---
diff --git a/src/constraint_statements.md b/src/constraint_statements.md
index 39f441e..4834f6b 100644
--- a/src/constraint_statements.md
+++ b/src/constraint_statements.md
@@ -172,7 +172,6 @@ constrain { dir file lnk_file sock_file fifo_file chr_file blk_file } { create r
(u1 == u2 or t1 == can_change_object_identity);
```
-
## *validatetrans*
This statement is used to control the ability to change the objects
@@ -274,7 +273,6 @@ validatetrans class expression;
validatetrans { file } { t1 == unconfined_t );
```
-
## *mlsconstrain*
The mlsconstrain statement allows further restriction on permissions for
@@ -400,7 +398,6 @@ mlsconstrain dir search
( t2 == mlstrustedobject ));
```
-
## *mlsvalidatetrans*
The *mlsvalidatetrans* is the MLS equivalent of the *validatetrans*
@@ -531,7 +528,6 @@ mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
(( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
```
-
<!-- %CUTHERE% -->
---
diff --git a/src/core_components.md b/src/core_components.md
index 0cc9e65..0bb9058 100644
--- a/src/core_components.md
+++ b/src/core_components.md
@@ -17,7 +17,6 @@ manage enforcement of the policy and comprise of the following:
5. An Access Vector Cache (AVC) that improves system performance by
caching security server decisions.
-
**Figure 1: High Level Core SELinux Components** - *Decisions by the
@@ -25,12 +24,10 @@ Security Server are cached in the AVC to enhance performance of future
requests. Note that it is the kernel and userspace Object Managers that
enforce the policy.*
-
**Figure 2: High Level SELinux Architecture** - *Showing the major supporting services*
-
**Figure 2** shows a more complex diagram of kernel and userspace with a number of
supporting services that are used to manage the SELinux environment.
This diagram will be referenced a number of times to explain areas of
@@ -131,7 +128,6 @@ The [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module
section goes into greater detail of the LSM / SELinux modules with a walk
through of a ***fork**(2)* and ***exec**(2)* process.
-
<section class="footnotes">
<ol>
<li id="fnc1"><p>When SELinux is enabled, the policy can be running in 'permissive mode' (<code>SELINUX=permissive</code>), where all accesses are allowed. The policy
@@ -145,7 +141,6 @@ statement that allows a domain to run in permissive mode while the others are st
</ol>
</section>
-
<!-- %CUTHERE% -->
---
diff --git a/src/debug_policy_hints.md b/src/debug_policy_hints.md
index 913a82a..1bdd8f4 100644
--- a/src/debug_policy_hints.md
+++ b/src/debug_policy_hints.md
@@ -2,10 +2,6 @@
I'm sure there is more to add here !!!
-
-
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/default_rules.md b/src/default_rules.md
index b6e35d2..92ba272 100644
--- a/src/default_rules.md
+++ b/src/default_rules.md
@@ -79,7 +79,6 @@ default_user file target;
default_user { x_selection x_property } source;
```
-
## *default_role*
Allows the default role to be taken from the source or target context
@@ -155,7 +154,6 @@ default_role file target;
default_role { x_selection x_property } source;
```
-
## *default_type*
Allows the default type to be taken from the source or target context
@@ -231,7 +229,6 @@ default_type file target;
default_type { x_selection x_property } source;
```
-
## *default_range*
Allows the default range or level to be taken from the source or target
@@ -332,7 +329,6 @@ default_type { x_selection x_property } source low_high;
default_range db_table glblub;
```
-
<!-- %CUTHERE% -->
---
diff --git a/src/domain_object_transitions.md b/src/domain_object_transitions.md
index c7e74e0..030d866 100644
--- a/src/domain_object_transitions.md
+++ b/src/domain_object_transitions.md
@@ -8,7 +8,6 @@ This section discusses the *type_transition* statement that is used to:
These transitions can also be achieved using the **libselinux** API
functions for SELinux-aware applications.
-
## Domain Transition
A domain transition is where a process in one domain starts a new
@@ -98,7 +97,6 @@ SELinux enabled kernel.
within the *unconfined_t* domain and then transitioned to the *ext_gateway_t*
domain.*
-
### Type Enforcement Rules
When building the *ext_gateway.conf* and *int_gateway.conf* modules the
@@ -221,7 +219,6 @@ Other ways to resolve this issue are:
It was decided to use runcon as it demonstrates the command usage better
than reading the man pages.
-
## Object Transition
An object transition is where a new object requires a different label to
@@ -295,7 +292,6 @@ drwxr-xr-x root root system_u:object_r:unconfined_t ..
-rw-r--r-- root root unconfined_u:object_r:in_file_t Message-2
```
-
<!-- %CUTHERE% -->
---
diff --git a/src/file_labeling_statements.md b/src/file_labeling_statements.md
index b28c1ff..34c2ca8 100644
--- a/src/file_labeling_statements.md
+++ b/src/file_labeling_statements.md
@@ -12,7 +12,6 @@ therefore if the policy supports MCS / MLS, then an *mls_range* is
required as described in the
[**MLS range Definition**](mls_statements.md#mls-range-definition) section.
-
## *fs_use_xattr*
The *fs_use_xattr* statement is used to allocate a security context to
@@ -86,7 +85,6 @@ fs_use_xattr ext2 system_u:object_r:fs_t:s0;
fs_use_xattr ext3 system_u:object_r:fs_t:s0;
```
-
## *fs_use_task*
The *fs_use_task* statement is used to allocate a security context to
@@ -158,7 +156,6 @@ fs_use_task pipefs system_u:object_r:fs_t:s0;
fs_use_task sockfs system_u:object_r:fs_t:s0;
```
-
## *fs_use_trans*
The *fs_use_trans* statement is used to allocate a security context to
@@ -230,7 +227,6 @@ fs_use_trans tmpfs system_u:object_r:tmpfs_t:s0;
fs_use_trans devpts system_u:object_r:devpts_t:s0;
```
-
## *genfscon*
The *genfscon* statement is used to allocate a security context to
@@ -323,7 +319,6 @@ genfscon proc /fs/openafs system_u:object_r:proc_afs_t:s0
genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s15:c0.c255
```
-
<!-- %CUTHERE% -->
---
diff --git a/src/global_config_files.md b/src/global_config_files.md
index 682b0fb..80e557b 100644
--- a/src/global_config_files.md
+++ b/src/global_config_files.md
@@ -9,7 +9,6 @@ important files are:
- */etc/selinux/semanage.conf* - This is used by the SELinux policy
configuration subsystem for modular or CIL policies.
-
## */etc/selinux/config*
If this file is missing or corrupt no SELinux policy will be loaded
@@ -82,7 +81,6 @@ SELINUX=permissive
SELINUXTYPE=targeted
```
-
## */etc/selinux/semanage.conf*
The ***semanage.config**(5)* file controls the configuration and actions
@@ -273,7 +271,6 @@ args = $@
[end]
```
-
## */etc/selinux/restorecond.conf*
## *restorecond-user.conf*
@@ -316,13 +313,11 @@ directories).
~/public_html/*
```
-
## */etc/selinux/newrole_pam.conf*
The optional *newrole\_pam.conf* file is used by ***newrole**(1)* and
maps commands to ***PAM**(8)* service names.
-
## */etc/sestatus.conf*
The ***sestatus.conf**(5)* file is used by the ***sestatus**(8)* command to
@@ -362,7 +357,6 @@ List of processes to display context
/usr/sbin/sshd
```
-
## */etc/security/sepermit.conf*
The ***sepermit.conf**(5)* file is used by the *pam_sepermit.so* module
@@ -407,7 +401,6 @@ example that describes the configuration:
xguest:exclusive
```
-
<!-- %CUTHERE% -->
---
diff --git a/src/implementing_seaware_apps.md b/src/implementing_seaware_apps.md
index 1aa1f90..13020c9 100644
--- a/src/implementing_seaware_apps.md
+++ b/src/implementing_seaware_apps.md
@@ -36,7 +36,6 @@ SELinux-aware applications do not (they rely on 'Object Managers' to do
this e.g. the kernel based Object Managers such as those that manage
filesystem, IPC and network labeling).
-
## Implementing SELinux-aware Applications
This section puts forward various points that may be useful when
@@ -95,7 +94,6 @@ developing SELinux-aware applications and object managers using
explained at:
<http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=12b29f34558b9b45a2c6eabd4f3c6be939a3980f>
-
## Implementing Object Managers
To implement object managers for applications, an understanding of the
@@ -155,7 +153,6 @@ classes/permissions.
the [**X Access Control Extension Specification**](http://www.x.org/releases/X11R7.5/doc/security/XACE-Spec.pdf), and for reference, the SE-PostgreSQL service also implements a similar
interface.
-
## Reference Policy Changes
When adding a new object manager to SELinux, it will require at least a
@@ -208,7 +205,6 @@ not require modification, and supplying the module files (*\*.te*,
## </required>
```
-
## Adding New Object Classes and Permissions
Because userspace object managers do not require their new classes and
@@ -286,7 +282,6 @@ dynamic class/perm discovery:
by the kernel. Then add allow rules as appropriate to the policy for
the new permissions.
-
<section class="footnotes">
<ol>
<li id="fni1"><p>The SELinux security server does not enforce a decision, it merely
@@ -298,7 +293,6 @@ applied to their objects as defined by policy.<a href="#fnisa1" class="footnote-
</ol>
</section>
-
<!-- %CUTHERE% -->
---
diff --git a/src/infiniband_statements.md b/src/infiniband_statements.md
index 2cb1529..492bdb6 100644
--- a/src/infiniband_statements.md
+++ b/src/infiniband_statements.md
@@ -8,7 +8,6 @@ overview of the SELinux IB implementation can be found at:
Note that there are no terminating semi-colons ';' on these statements.
-
## *ibpkeycon*
The *ibpkeycon* statement is used to label IB partition keys.
@@ -97,7 +96,6 @@ in the default *<SELINUXTYPE>* policy store and then activate the policy:
ibpkeycon fe80:: 0xFFFF system_u:object_r:default_ibpkey_t:s0
```
-
## *ibendportcon*
The *ibendportcon* statement is used to label IB end ports.
@@ -186,7 +184,6 @@ This command will produce the following file
ibendportcon mlx4_0 2 system_u:object_r:opensm_ibendport_t:s0
```
-
<!-- %CUTHERE% -->
---
diff --git a/src/kernel_policy_language.md b/src/kernel_policy_language.md
index e45311d..eba0564 100644
--- a/src/kernel_policy_language.md
+++ b/src/kernel_policy_language.md
@@ -33,7 +33,6 @@ extension. These files are compiled using the ***checkmodule**(8)* command.
appear in source files with the mandatory statements that must be
present.
-
<table>
<tbody>
<tr style="background-color:#D3D3D3;">
@@ -205,7 +204,6 @@ Where:
**Table 3** shows a cross reference matrix of statements
and rules allowed in each type of policy source file.
-
## Conditional, Optional and Require Statement Rules
The language grammar specifies what statements and rules can be included
@@ -260,7 +258,6 @@ Where:
**Table 3** shows a cross reference matrix of statements
and rules allowed in each of the above policy statements.
-
## MLS Statements and Optional MLS Components
The [**MLS Statements**](mls_statements.md#mls-statements) section defines
@@ -270,7 +267,6 @@ context as an argument, (for example the
[**Network Labeling Statements**](network_statements.md#network-labeling-statements)),
therefore these statements show an example taken from the MLS **Reference Policy** build.
-
## General Statement Information
1. Identifiers can generally be any length but should be restricted to
@@ -480,7 +476,6 @@ same).
**Table 2: Policy language reserved words**
-
**Table 3** shows what policy language statements and rules are allowed
within each type of policy source file, and whether the statement is valid
within an *if/else* construct, *optional {rule_list}*, or
@@ -948,7 +943,6 @@ policy source file. The right hand side of the table shows whether the
statement is valid within the *if/else* construct, *optional {rule_list}*,
or *require {rule_list}* statement.*
-
## Section Contents
The policy language statement and rule sections are as follows:
@@ -975,7 +969,6 @@ Note these are not kernel policy statements, but used by the Reference Policy
to assist policy build:
- [Modular Policy Support Statements](modular_policy_statements.md#modular-policy-support-statements)
-
<section class="footnotes">
<ol>
<li id="fn1"><p>It is important to note that the <strong>Reference Policy</strong> builds policy using makefiles and m4 support macros within its own source file structure. However, the end result of the make process is that there can be three possible types of source file built (depending on the <strong>MONOLITHIC=Y/N</strong> build option). These files contain the policy language statements and rules that are finally complied into a binary policy.<a href="#fnker1" class="footnote-back">↩</a></p></li>
@@ -986,7 +979,6 @@ to assist policy build:
</ol>
</section>
-
<!-- %CUTHERE% -->
---
diff --git a/src/libselinux_functions.md b/src/libselinux_functions.md
index 34f9a06..9cae37a 100644
--- a/src/libselinux_functions.md
+++ b/src/libselinux_functions.md
@@ -1093,7 +1093,6 @@ The appropriate ***man**(3)* pages should consulted for detailed usage.
</tbody>
</table>
-
<!-- %CUTHERE% -->
---
diff --git a/src/lsm_selinux.md b/src/lsm_selinux.md
index 9c2aac4..e426f28 100644
--- a/src/lsm_selinux.md
+++ b/src/lsm_selinux.md
@@ -15,7 +15,6 @@ the SELinux kernel source code). The major areas covered are:
4. The SELinux filesystem */sys/fs/selinux*.
5. The */proc* filesystem area most applicable to SELinux.
-
## The LSM Module
The LSM is the Linux security framework that allows 3<sup>rd</sup> party
@@ -95,7 +94,6 @@ inserted security hooks and structures to allow access control to be
managed by 3<sup>rd</sup> party modules (see
./linux-3.14/include/linux/security.h).*
-
| ***/proc/self/attr/*** **Permissions** | **File Name**| **Function** |
| ------------ | ------------ | ------------------------------------------------------------------------ |
| *current* | *-rw-rw-rw-* | Contains the current process security context. |
@@ -149,7 +147,6 @@ hooks and structures.
**Table 3:** *The core LSM source modules.*
-
## The SELinux Module
This section does not go into detail of all the SELinux module
@@ -274,7 +271,6 @@ to see how some of these kernel source modules fit together.
**Table 4: The core SELinux source modules** - *The .h files and those in
the include directory have a number of useful comments.*
-
### Fork System Call Walk-thorough
This section walks through the the ***fork**(2)* system call shown in
@@ -339,7 +335,6 @@ is valid):
required to check access permissions for Object Class *process* and
permission *fork*.*
-
### Process Transition Walk-thorough
This section walks through the ***execve**(2)* and checking whether a
@@ -459,14 +454,12 @@ computed. This function will (assuming there are no errors):
check if a transition is allowed from the *unconfined_t* domain to the
*ext_gateway_t* domain.*
-
**Figure 12: The Main LSM / SELinux Modules** - *The fork and exec functions
link to [**Figure 7**](domain_object_transitions.md#domain-transition)
where the transition process is described.*
-
#### SELinux Filesystem
**Table 6: SELinux filesystem Information** shows the information contained
@@ -738,8 +731,6 @@ Notes:
*/proc/<self|pid>/task/<tid>/attr/<attr>*
interfaces.
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/mac.md b/src/mac.md
index 5c746f2..7b88c24 100644
--- a/src/mac.md
+++ b/src/mac.md
@@ -29,7 +29,6 @@ chain for DAC and MAC are shown in **Figure 3**.
**Figure 3: Processing a System Call** - *The DAC checks are carried out
first, if they pass then the Security Server is consulted for a decision.*
-
SELinux supports two forms of MAC:
**Type Enforcement** - Where processes run in domains and the actions on
@@ -61,8 +60,6 @@ application separation, for example SELinux enabled:
by the same app running on behalf of another user (see the
[**Security Enhancements for Android - Computing a Context**](seandroid.md#computing-process-context-examples) section).
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/mls_mcs.md b/src/mls_mcs.md
index 862196b..4b4c15c 100644
--- a/src/mls_mcs.md
+++ b/src/mls_mcs.md
@@ -111,7 +111,6 @@ The format used in the policy language statements is fully described in
the [MLS Statements](mls_statements.md#mls-statements) section, however
a brief overview follows.
-
#### MLS / MCS Range Format
The following components (shown in bold) are used to define the MLS /
@@ -145,7 +144,6 @@ user:role:type:sensitivity[:category,...] - sensitivity [:category,...]
</tbody>
</table>
-
#### Translating Levels
When writing policy for MLS / MCS security level components it is usual
@@ -161,7 +159,6 @@ command can be used to set up this translation and is shown in the
[**setrans.conf**](policy_config_files.md#setrans.conf) configuration file
section.
-
### Managing Security Levels via Dominance Rules
As stated earlier, allowing a process access to an object is managed by
@@ -279,12 +276,10 @@ the *mlsconstrain* statement as illustrated in
**Table 2: MLS Security Levels** - *Showing the scope of a process running
at a security range of *s0 - s3:c1.c5*.*
-
**Figure 9: Showing the mlsconstrain Statements controlling Read Down & Write Up** - *This ties in with* **Table 2: MLS Security Levels** *that shows a process running with a security range of s0 - s3:c1.c5.*
-
Using **Figure 9: *mlsconstrain* Statements controlling Read Down & Write Up**:
1. To allow write-up, the source level (l1) must be **dominated by**
@@ -309,7 +304,6 @@ read-down. The default is to use l1 eq l2 (i.e. the levels are equal).
The reference policy MLS source file (policy/mls) shows these
*mlsconstrain* statements.
-
### MLS Labeled Network and Database Support
Networking for MLS is supported via the NetLabel CIPSO (commercial IP
@@ -322,7 +316,6 @@ PostgreSQL supports labeling for MLS database services as discussed in
the [**SE-PostgreSQL Support**](postgresql.md#postgresql-selinux-support)
section.
-
### Common Criteria Certification
While the [*Common Criteria*](http://www.commoncriteriaportal.org/)
@@ -353,8 +346,6 @@ An interesting point:
look at the protection profiles as they define what was actually
evaluated.
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/mls_statements.md b/src/mls_statements.md
index c2bb4f3..f61ced6 100644
--- a/src/mls_statements.md
+++ b/src/mls_statements.md
@@ -63,13 +63,11 @@ the circumstances, there can be one level defined or a
**Table 1: Sensitivity and Category = Security Level** - *this table shows
the meanings depending on the context being discussed.*
-
To make the security levels more meaningful, it is possible to use the
setransd daemon to translate these to human readable formats. The
**semanage**(8) command will allow this mapping to be defined as discussed
in the [**setrans.conf**](policy_config_files.md#setrans.conf) section.
-
#### MLS range Definition
The MLS range is appended to a number of statements and defines the lowest and
@@ -102,7 +100,6 @@ low_level [ - high_level ]
</tbody>
</table>
-
## *sensitivity*
The sensitivity statement defines the MLS policy sensitivity identifies
@@ -182,7 +179,6 @@ sensitivity s15;
sensitivity s0 alias secret wellmaybe ornot;
```
-
## *dominance*
When more than one [*sensitivity*](#sensitivity)
@@ -246,7 +242,6 @@ The statement is valid in:
dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
```
-
## *category*
The *category* statement defines the MLS policy category
@@ -326,7 +321,6 @@ category c255;
category c0 alias planning development benefits;
```
-
## *level*
The *level* statement enables the previously declared sensitivity and
@@ -401,7 +395,6 @@ level s0:c0.c255;
level s15:c0.c255;
```
-
## *range_transition*
The *range_transition* statement is primarily used by the init process or
@@ -493,21 +486,18 @@ range_transition initrc_t auditd_exec_t:process s15:c0.c255;
range_transition initrc_t cupsd_exec_t:process s15:c0.c255;
```
-
## *mlsconstrain*
This is decribed in the
[**Constraint Statements - *mlsconstrain***](constraint_statements.md#mlsconstrain)
section.
-
## *mlsvalidatetrans*
This is decribed in the
[**Constraint Statements - *mlsvalidatetrans***](constraint_statements.md#mlsvalidatetrans)
section.
-
<!-- %CUTHERE% -->
---
diff --git a/src/modes.md b/src/modes.md
index 2b23353..344b72f 100644
--- a/src/modes.md
+++ b/src/modes.md
@@ -42,8 +42,6 @@ The ***sestatus**(8)* command will show the current SELinux
enforcement mode in its output, however it does not display individual
domain or object manager enforcement modes.
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/modular_policy_statements.md b/src/modular_policy_statements.md
index 5efe604..e829e32 100644
--- a/src/modular_policy_statements.md
+++ b/src/modular_policy_statements.md
@@ -3,7 +3,6 @@
This section contains statements used to support policy modules. They are
not part of the kernel policy language.
-
## *module*
This statement is mandatory for loadable modules (non-base) and must be
@@ -269,7 +268,6 @@ optional {
} # end optional
```
-
<!-- %CUTHERE% -->
---
diff --git a/src/network_statements.md b/src/network_statements.md
index 171790d..a625c26 100644
--- a/src/network_statements.md
+++ b/src/network_statements.md
@@ -82,7 +82,6 @@ Or
::
```
-
## *netifcon*
The *netifcon* statement is used to label network interface objects (e.g.
@@ -178,7 +177,6 @@ netifcon eth2 system_u:object_r:netif_t:s0
system_u:object_r:netif_t:s0
```
-
## *nodecon*
The *nodecon* statement is used to label network address objects for peer
@@ -280,7 +278,6 @@ This command will produce the following file in the default
nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0
```
-
## *portcon*
The *portcon* statement is used to label udp, tcp, dccp or sctp ports.
@@ -375,7 +372,6 @@ This command will produce the following file in the default
portcon udp 1234 system_u:object_r:reserved_port_t:s0
```
-
<!-- %CUTHERE% -->
---
diff --git a/src/network_support.md b/src/network_support.md
index b519fb7..62f87f2 100644
--- a/src/network_support.md
+++ b/src/network_support.md
@@ -69,7 +69,6 @@ the inode associated to the socket and not from the actual kernel socket
structure (as currently there is no standard kernel/userspace interface
to achieve this).
-
## SECMARK
SECMARK makes use of the standard kernel NetFilter framework that
@@ -181,8 +180,6 @@ The following articles explain the SECMARK service:
- [*Transitioning to Secmark*](http://paulmoore.livejournal.com/4281.html)
- [New secmark-based network controls for SELinux](http://james-morris.livejournal.com/11010.html)
-
-
## NetLabel - Fallback Peer Labeling
Fallback labeling can optionally be implemented on a system if the
@@ -204,7 +201,6 @@ the policy capability *network_peer_controls* being set to 0 and 1.
**Figure 14: Fallback Labeling** - *Showing the differences between the
policy capability ***network_peer_controls*** set to 0 and 1.*
-
The *selinux-testsuite inet_socket* and *sctp* tests have examples of
fallback labeling, and the following are a set of ***netlabelctl**(8)*
commands from the *sctp* test:
@@ -221,7 +217,6 @@ netlabelctl -p map list
Note that the security contexts must be valid in the policy otherwise the
commands will fail.
-
## NetLabel – CIPSO/CALIPSO
To allow MLS [**security levels**](mls_mcs.md#security-levels) to be passed
@@ -291,7 +286,6 @@ netlabelctl -p map list
The examples use the *nb_client*/*nb_server* from the Notebook examples
section, plus the standard Fedora 'targeted' policy for the tests.
-
## Labeled IPSec
Labeled IPSec has been built into the standard GNU / Linux IPSec
@@ -437,7 +431,6 @@ article and a good reference covering **Basic Labeled IPsec Configuration**
available at:
<http://www.redhat.com/archives/redhat-lspp/2006-November/msg00051.html>
-
## Labeled Network FileSystem (NFS)
Version 4.2 of NFS supports labeling between client/server and requires
@@ -458,7 +451,6 @@ Labeled NFS clients must use a consistent security policy.
The *selinux-testsuite tools/nfs.sh* tests labeled NFS using various labels.
-
<section class="footnotes">
<ol>
<li id="fnn1"><p>For example, an ftp session where the server is listening on a specific port (the destination port) but the client will be assigned a random source port. The CONNSECMARK will ensure that all packets for the ftp session are marked with the same label.<a href="#fnnet1" class="footnote-back">↩</a></p></li>
@@ -467,7 +459,6 @@ The *selinux-testsuite tools/nfs.sh* tests labeled NFS using various labels.
</ol>
</section>
-
<!-- %CUTHERE% -->
---
diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md
index 7337ef0..c07027f 100644
--- a/src/object_classes_permissions.md
+++ b/src/object_classes_permissions.md
@@ -69,7 +69,6 @@ Language, and the
[**CIL Reference Guide**](./notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf)
specifies the CIL Policy Language.
-
# Kernel Object Classes and Permissions
## Common Permissions
@@ -345,7 +344,6 @@ inherited by a number of object classes.
</tbody>
</table>
-
### Common Capability Permissions
<table>
@@ -575,7 +573,6 @@ explains the objects, their permissions and how they should be used in detail.
</tbody>
</table>
-
### Common X_Device Permissions
The following table describes the common *x_device* permissions that are
@@ -666,7 +663,6 @@ inherited by the X-Windows *x_keyboard* and *x_pointer* object classes.
</tbody>
</table>
-
## File Object Classes
### *filesystem*
@@ -906,7 +902,6 @@ inherited by the X-Windows *x_keyboard* and *x_pointer* object classes.
</tbody>
</table>
-
## Network Object Classes
### *node*
@@ -1131,7 +1126,6 @@ inherited by the X-Windows *x_keyboard* and *x_pointer* object classes.
</tbody>
</table>
-
## IPSec Network Object Classes
### *association*
@@ -1211,7 +1205,6 @@ inherited by the X-Windows *x_keyboard* and *x_pointer* object classes.
</tbody>
</table>
-
## Netlink Object Classes
Netlink sockets communicate between userspace and the kernel – also see
@@ -1611,7 +1604,6 @@ Netlink sockets communicate between userspace and the kernel – also see
</tbody>
</table>
-
## Miscellaneous Network Object Classes
### *peer*
@@ -1714,7 +1706,6 @@ Netlink sockets communicate between userspace and the kernel – also see
</tbody>
</table>
-
## Sockets via *extended_socket_class*
These socket classes that were introduced by the
@@ -1901,7 +1892,6 @@ These socket classes that were introduced by the
</tbody>
</table>
-
## BPF Object Class
### *bpf*
@@ -1939,7 +1929,6 @@ These socket classes that were introduced by the
</tbody>
</table>
-
## Performance Event Object Class
### *perf_event*
@@ -1981,7 +1970,6 @@ These socket classes that were introduced by the
</tbody>
</table>
-
## Lockdown Object Class
Note: If the *lockdown* LSM is enabled alongside SELinux, then the
@@ -2011,7 +1999,6 @@ implementation.
</tbody>
</table>
-
## IPC Object Classes
### *ipc* (Deprecated)
@@ -2121,7 +2108,6 @@ implementation.
</tbody>
</table>
-
## Process Object Class
### *process*
@@ -2286,7 +2272,6 @@ implementation.
</tbody>
</table>
-
## Security Object Class
### *security*
@@ -2356,7 +2341,6 @@ implementation.
</tbody>
</table>
-
## System Operation Object Class
Note that while this is defined as a kernel object class, the userspace
@@ -2442,7 +2426,6 @@ Note that while this is defined as a kernel object class, the userspace
</tbody>
</table>
-
## Miscellaneous Kernel Object Classes
### *kernel_service*
@@ -2562,7 +2545,6 @@ Note that while this is defined as a kernel object class, the userspace
</tbody>
</table>
-
## Capability Object Classes
### *capability*
@@ -2641,7 +2623,6 @@ Note that while this is defined as a kernel object class, the userspace
</tbody>
</table>
-
## InfiniBand Object Classes
### *infiniband_pkey*
@@ -2682,7 +2663,6 @@ Note that while this is defined as a kernel object class, the userspace
</tbody>
</table>
-
**Userspace** Object Classes
=============================
@@ -3321,7 +3301,6 @@ These are userspace objects managed by XSELinux.
</tbody>
</table>
-
## Database Object Classes
These are userspace objects - The PostgreSQL database supports these
@@ -3652,7 +3631,6 @@ explains the objects, their permissions and how they should be used in detail.
</tbody>
</table>
-
## Miscellaneous Userspace Object Classes
### *passwd*
@@ -3865,8 +3843,6 @@ explains the objects, their permissions and how they should be used in detail.
</tbody>
</table>
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/objects.md b/src/objects.md
index 9dff3fa..09c77f3 100644
--- a/src/objects.md
+++ b/src/objects.md
@@ -91,7 +91,6 @@ Where:
</tbody>
</table>
-
**Figure 6: The *allow* rule** - *Showing that the subject (the processes
@@ -186,7 +185,6 @@ security.selinux="unconfined_u:object_r:user_home:s0
# (or label) held for the file is displayed.
```
-
#### Copying and Moving Files
Assuming that the correct permissions have been granted by the policy,
@@ -321,7 +319,6 @@ process itself should clear or shred the information before releasing
the object (which can be difficult in some cases unless the source code
is available).
-
<section class="footnotes">
<ol>
<li id="fno1"><p>These file systems store the security context in an attribute
@@ -330,8 +327,6 @@ associated with the file.<a href="#fnobj1" class="footnote-back">↩</a></p></li
</ol>
</section>
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/pam_login.md b/src/pam_login.md
index 02878ab..08e1599 100644
--- a/src/pam_login.md
+++ b/src/pam_login.md
@@ -111,8 +111,6 @@ perform the following functions:
- ***pam_selinux.so close*** - This will reset the login programs context
to the context defined in the policy.
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/policy_config_files.md b/src/policy_config_files.md
index 408d06d..b6ae69c 100644
--- a/src/policy_config_files.md
+++ b/src/policy_config_files.md
@@ -31,7 +31,6 @@ additional two files are required:
SELinux.
- *./context/x_contexts* - To allow the X-Windows service to run under SELinux.
-
## *seusers*
The ***seusers**(5)* file is used by login programs (normally via the
@@ -76,7 +75,6 @@ __default__:user_u:s0-s0
- ***getseuser**(3)*
- ***getseuserbyname**(3)*
-
## *booleans*
## *booleans.local*
@@ -125,7 +123,6 @@ Note that if *SETLOCALDEFS* is set in the SELinux
in the ***selinux_booleans_path**(3)*, and also a *local.users* file
in the ***selinux_users_path**(3)*.
-
## *booleans.subs_dist*
The *booleans.subs_dist* file (if present) will allow new boolean names
@@ -171,7 +168,6 @@ Supporting libselinux API functions are:
- ***security_get_boolean_names**(3)*
- ***security_set_boolean**(3)*
-
## setrans.conf
The ***setrans.conf**(8)* file is used by the ***mcstransd**(8)* daemon
@@ -230,7 +226,6 @@ Supporting libselinux API functions are:
- ***selinux_raw_to_trans_context**(3)*
- ***selinux_trans_to_raw_context**(3)*
-
## *secolor.conf*
The **secolor.conf**(5) file controls the colour to be associated to the
@@ -322,7 +317,6 @@ user : role : type : range
black white white black tan orange black green
```
-
## *policy/policy.<ver>*
This is the binary policy file that is loaded into the kernel to enforce
@@ -338,7 +332,6 @@ discussed in the
[**Types of SELinux Policy - Policy Versions**](types_of_policy.md#policy-versions)
section.
-
## *contexts/customizable_types*
The ***customizable_types**(5)* file contains a list of types that will
@@ -380,7 +373,6 @@ sysadm_untrusted_content_tmp_t
- ***selinux_customizable_types_path**(3)*
- ***selinux_context_path**(3)*
-
## *contexts/default_contexts*
The ***default_contexts**(5)* file is used by SELinux-aware applications
@@ -442,7 +434,6 @@ these functions.
- ***query_user_context**(3)*
- ***manual_user_enter_context**(3)*
-
An example use in this Notebook (to get over a small feature) is that
when the initial **basic policy** was built, no default_contexts file
entries were required as only one *role:type* of *unconfined_r:unconfined_t*
@@ -470,7 +461,6 @@ The login process could now set the context correctly to
*contexts/users/unconfined_u* configuration file instead could also have
achieved this.
-
## *contexts/dbus_contexts*
This file is for the dbus messaging service daemon (a form of IPC) that
@@ -497,7 +487,6 @@ information at:
- ***selinux_context_path**(3)*
-
## *contexts/default_type*
The **default_type**(5) file allows SELinux-aware applications such as
@@ -536,7 +525,6 @@ user_r:user_t
- ***selinux_default_type_path**(3)*
- ***get_default_type**(3)*
-
## *contexts/failsafe_context*
The **failsafe_context**(5) is used when a login process cannot
@@ -579,7 +567,6 @@ sysadm_r:sysadm_t:s0
- ***get_ordered_context_list**(3)*
- ***get_ordered_context_list_with_level**(3)*
-
## *contexts/initrc_context*
This is used by the ***run_init**(8)* command to allow system services to
@@ -605,7 +592,6 @@ user:role:type[:range]
**Example file contents:**
-
```
# Taken from the MLS policy
# Note that the init process has full access via the range s0-s15:c0.c255.
@@ -617,7 +603,6 @@ system_u:system_r:initrc_t:s0-s15:c0.c255
- ***selinux_context_path**(3)*
-
## *contexts/lxc_contexts*
This file supports labeling lxc containers within the *libvirt* library
@@ -672,7 +657,6 @@ sandbox_lxc_process = "system_u:system_r:container_t:s0"
- ***selinux_context_path**(3)*
- ***selinux_lxc_context_path**(3)*
-
## *contexts/netfilter_contexts* - Obsolete
This file was to support the Secmark labeling for Netfilter / iptable rule
@@ -683,30 +667,25 @@ matching of network packets - Never been used.
- ***selinux_context_path**(3)*
- ***selinux_netfilter_context_path**(3)*
-
## *contexts/openrc_contexts*
**To be determined**
**The file format is as follows:**
-
**Example file contents:**
-
**Supporting libselinux API functions are:**
- ***selinux_context_path**(3)*
- ***selinux_openrc_contexts_path**(3)*
-
## *contexts/openssh_contexts*
**To be determined**
**The file format is as follows:**
-
**Example file contents:**
```
@@ -718,7 +697,6 @@ privsep_preauth=sshd_net_t
- ***selinux_context_path**(3)*
- ***selinux_openssh_contexts_path**(3)*
-
## *contexts/removable_context*
The **removable_context**(5) file contains a single default label that
@@ -752,7 +730,6 @@ system_u:object_r:removable_t:s0
- ***selinux_removable_context_path**(3)*
-
## *contexts/sepgsql_contexts*
This file contains the default security contexts for SE-PostgreSQL
@@ -784,7 +761,6 @@ object_type object_name context
</tbody>
</table>
-
**Example file contents:**
```
@@ -794,14 +770,12 @@ db_database * system_u:object_r:sepgsql_db_t:s0
db_schema *.* system_u:object_r:sepgsql_schema_t:s0
```
-
## *contexts/snapperd_contexts*
**To be determined**
**The file format is as follows:**
-
**Example file contents:**
```
@@ -813,7 +787,6 @@ snapperd_data = system_u:object_r:snapperd_data_t:s0
- ***selinux_context_path**(3)*
- ***selinux_snapperd_contexts_path**(3)*
-
## *contexts/securetty_types*
The ***securetty_types**(5)* file is used by the ***newrole**(1)* command
@@ -848,7 +821,6 @@ staff_tty_device_t
- ***selinux_securetty_types_path**(3)*
-
## *contexts/systemd_contexts*
This file contains security contexts to be used by tasks run via ***systemd**(8)*.
@@ -885,7 +857,6 @@ runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
- ***selinux_context_path**(3)*
- ***selinux_systemd_contexts_path**(3)*
-
## *contexts/userhelper_context*
This file contains the default security context used by the
@@ -918,7 +889,6 @@ system_u:sysadm_r:sysadm_t:s0
- ***selinux_context_path**(3)*
-
## *contexts/virtual_domain_context*
The ***virtual_domain_context**(5)* file is used by the virtulization
@@ -938,7 +908,6 @@ system_u:system_r:svirt_tcg_t:s0
- ***selinux_virtual_domain_context_path**(3)*
-
## *contexts/virtual_image_context*
The ***virtual_image_context**(5)* file is used by the virtulization API
@@ -958,7 +927,6 @@ system_u:object_r:virt_content_t:s0
- ***selinux_virtual_image_context_path**(3)*
-
## *contexts/x_contexts*
The ***x_contexts**(5)* file provides the default security contexts for
@@ -1002,7 +970,6 @@ selection PRIMARY system_u:object_r:clipboard_xselection_t:s0
- ***selabel_lookup**(3)*
- ***selabel_stats**(3)*
-
## *contexts/files/file_contexts*
The ***file_contexts**(5)* file is managed by the ***semodule**(8)* and
@@ -1035,7 +1002,6 @@ compatible regular expression (PCRE) internal format.
- ***selabel_lookup**(3)*
- ***selabel_stats**(3)*
-
## *contexts/files/file_contexts.local*
This file is added by the ***semanage fcontext*** command as described in the
@@ -1047,7 +1013,6 @@ file section to allow locally defined files to be labeled correctly. The
- ***selinux_file_context_local_path**(3)*
-
## *contexts/files/file_contexts.homedirs*
This file is managed by the ***semodule**(8)* and ***semanage**(8)* commands
@@ -1072,7 +1037,6 @@ Perl compatible regular expression (PCRE) internal format.
- ***selinux_file_context_homedir_path**(3)*
- ***selinux_homedir_context_path**(3)*
-
## contexts/files/file_contexts.subs
## contexts/files/file_contexts.subs_dist
@@ -1104,7 +1068,6 @@ with */var/www*, with the final result being:
- ***matchpathcon**(3)* (deprecated)
- ***matchpathcon_index**(3)* (deprecated)
-
## *contexts/files/media*
The **media**(5)* file is used to map media types to a file context. If
@@ -1145,7 +1108,6 @@ disk system_u:object_r:fixed_disk_device_t:s0
- ***selinux_media_context_path**(3)*
-
## *contexts/users/[seuser_id]*
These optional files are named after the SELinux user they represent.
@@ -1183,7 +1145,6 @@ system_r:init_t:s0 unconfined_r:unconfined_t:s0
- ***get_ordered_context_list**(3)*
- ***get_ordered_context_list_with_level**(3)*
-
## *logins/<linuxuser_id>*
These optional files are used by SELinux-aware login applications such
@@ -1238,7 +1199,6 @@ another_service:unconfined_u:s0
- ***getseuser**(3)*
-
## users/local.users
**NOTE: These were removed in libselinux 3.0**
@@ -1258,15 +1218,12 @@ Note that if *SETLOCALDEFS* is set in the SELinux
in the ***selinux_booleans_path**(3)*, and also a *local.users* file
in the ***selinux_users_path**(3)*.
-
<section class="footnotes">
<ol>
<li id="fnp1"><p>As each module would have its own file_contexts component that is either added or removed from the policies overall /etc/selinux/<SELINUXTYPE>/contexts/ files/file_contexts file.<a href="#fnpcf1" class="footnote-back">↩</a></p></li>
</ol>
</section>
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/policy_config_statements.md b/src/policy_config_statements.md
index b5cf10a..156b434 100644
--- a/src/policy_config_statements.md
+++ b/src/policy_config_statements.md
@@ -65,7 +65,6 @@ policycap capability;
policycap network_peer_controls;
```
-
<!-- %CUTHERE% -->
---
diff --git a/src/policy_languages.md b/src/policy_languages.md
index fe579fe..90c17fe 100644
--- a/src/policy_languages.md
+++ b/src/policy_languages.md
@@ -55,7 +55,6 @@ domain_transition_pattern(sysadm_t, ls_exec_t, test_stat_domain)
domain_entry_file(test_stat_domain, ls_exec_t)
```
-
<!-- %CUTHERE% -->
---
diff --git a/src/policy_store_config_files.md b/src/policy_store_config_files.md
index c1337c7..3e7f8ab 100644
--- a/src/policy_store_config_files.md
+++ b/src/policy_store_config_files.md
@@ -54,7 +54,6 @@ The command types are:
- [***semanage user***](#activeusers.local) Manage SELinux confined users
(Roles and levels for an SELinux user)
-
## active/modules Directory Contents
Under this directory are the respective priority directories containing
@@ -83,7 +82,6 @@ test_policy 400 pp
...
```
-
### *tmp* Policy Store (build failure)
When adding/updating a policy module and it fails to build for some reason,
@@ -95,13 +93,11 @@ message indicating the failing line number is:
Failed to resolve mlsconstrain statement at /var/lib/selinux/targeted/tmp/modules/400/test_mlsconstrain/cil:1
```
-
## *active/commit_num*
This is a binary file used by ***semanage*** for managing updates to the
store. The format is not relevant to policy construction.
-
### *active/policy.kern*
This is the binary policy file built by either the ***semanage**(8)* or
@@ -110,7 +106,6 @@ is then becomes the
*/etc/selinux/<SELINUXTYPE>/policy/policy.<ver>* binary policy
that will be loaded into the kernel.
-
## *active/policy.linked*
## *active/seusers.linked*
## *active/seusers_extra.linked*
@@ -118,7 +113,6 @@ that will be loaded into the kernel.
These are saved policy files prior to merging local changes to improve
performance.
-
## *active/booleans.local*
This file is created and updated by the ***semanage boolean*** command and
@@ -141,7 +135,6 @@ semanage boolean -m --on daemons_enable_cluster_mode
daemons_enable_cluster_mode=1
```
-
## *disable_dontaudit*
This file is only present when the ***semodule**(8)* '-D' flag is used to
@@ -149,7 +142,6 @@ to build the policy or ***semanage dontaudit***. It indicates that a policy
has been built without the *dontaudit* rules. This allows utilities
such as ***audit2allow**(8)* to list all denials to assist debugging policy.
-
## *active/file_contexts*
This file becomes the policy
@@ -271,7 +263,6 @@ pathname_regexp [file_type] security_context | <<none>>
</tbody>
</table>
-
Keywords that can be in policy source \*.fc files and then form the *file_contexts.template* file entries are:
<table>
@@ -305,7 +296,6 @@ Keywords that can be in policy source \*.fc files and then form the *file_contex
</tbody>
</table>
-
**Example policy source file from Reference Policy** *policy/modules/system/userdomain.fc*:
```
@@ -341,7 +331,6 @@ HOME_ROOT/lost\+found/.* <<none>>
/home -l gen_context(system_u:object_r:home_root_t,s0)
```
-
## *active/file_contexts.local*
This file is created and updated by the ***semanage fcontext*** command. It is
@@ -371,7 +360,6 @@ The resulting *file_contexts.local* file will be:
/usr/move_file system_u:object_r:unlabeled_t:s0
```
-
## *active/homedir_template*
This file is built as described in the
@@ -396,7 +384,6 @@ HOME_ROOT/\.journal <<none>>
HOME_DIR/.+ system_u:object_r:user_home_t:s0
```
-
### *active/file_contexts.homedirs*
This file becomes the policy
@@ -432,7 +419,6 @@ libsepol library function.
/home/[^/]+/.+ unconfined_u:object_r:user_home_t:s0
```
-
## active/seusers
## active/seusers.local
@@ -517,7 +503,6 @@ __default__:unconfined_u:s0-s0:c0.c1023
rch:user_u:s0
```
-
## *active/users_extra*
## *active/users_extra.local*
## *active/users.local*
@@ -579,7 +564,6 @@ user seuser_id prefix prefix_id;
</tbody>
</table>
-
**Example** *users_extra* **file contents:**
```
@@ -626,7 +610,6 @@ and the resulting *users.local* file will be:
user test_u roles { staff_r } level s0 range s0;
```
-
## *active/interfaces.local*
This file is created and updated by the ***semanage interface*** command to
@@ -651,7 +634,6 @@ semanage interface -a -t netif_t -r s0:c20.c250 enp7s0
netifcon enp7s0 system_u:object_r:netif_t:s0:c20.c250 system_u:object_r:netif_t:s0:c20.c250
```
-
## *active/nodes.local*
This file is created and updated by the ***semanage node*** command to hold
@@ -677,7 +659,6 @@ semanage node -a -M 255.255.255.255 -t node_t -r s0:c20.c250 -p ipv4 127.0.0.2
nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0:c20.c250
```
-
## *active/ports.local*
This file is created and updated by the ***semanage port*** command to hold
@@ -688,7 +669,6 @@ Each line of the file contains a *portcon* statement that is defined along
with examples in the policy language
[***portcon***](network_statements.md#portcon) section.
-
**Example** ***semanage port*** **command:**
```
@@ -704,7 +684,6 @@ semanage port -a -t port_t -p tcp -r s0:c20.c350 8888
portcon tcp 8888 system_u:object_r:port_t:s0:c20.c350
```
-
## Set domain permissive mode
The ***semanage permissive*** command will either add or remove a policy
@@ -726,8 +705,6 @@ This will by default add a CIL policy module to
Note that the CIL *typepermissive* statement is used, the equivalent kernel
policy statement would be [***permissive***](type_statements.md#permissive).
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/policy_validation_example.md b/src/policy_validation_example.md
index 628ee7b..8b7513f 100644
--- a/src/policy_validation_example.md
+++ b/src/policy_validation_example.md
@@ -97,7 +97,6 @@ options as described in the
[**Global Configuration Files** - *semanage.conf*](global_config_files.md#etcselinuxsemanage.conf)
file section.
-
<!-- %CUTHERE% -->
---
diff --git a/src/polyinstantiation.md b/src/polyinstantiation.md
index cca439b..3a64918 100644
--- a/src/polyinstantiation.md
+++ b/src/polyinstantiation.md
@@ -23,7 +23,6 @@ To clarify polyinstantiation support:
function of the XSELinux Object Manager and the supporting XACE
service.
-
## Polyinstantiated Objects
Determining a polyinstantiated context for an object is supported by
@@ -33,7 +32,6 @@ libselinux API functions. These are not limited to specific object
classes, however only *dir*, *x_selection* and *x_property* objects are
currently supported.
-
## Polyinstantiation support in PAM
PAM supports polyinstantiation (namespaces) of directories at login time
@@ -102,7 +100,6 @@ instance, and the user name. If a new instance is being set up, the
directory permissions are set and the ***restorecon**(8)* command is run
to set the correct file contexts.
-
#### *namespace.conf* Configuration File
Each line in the namespace.conf file is formatted as follows:
@@ -139,7 +136,6 @@ Where:
</tbody>
</table>
-
### Example Configurations
This section shows two sample *namespace.conf* configurations, the first
@@ -205,7 +201,6 @@ following polyinstantiated directories:
/home/rch/rch.inst/unconfined_u:unconfined_r:unconfined_t_rch
```
-
## Polyinstantiation support in X-Windows
The X-Windows SELinux object manager and XACE (X Access Control
@@ -214,7 +209,6 @@ objects as discussed in the
[**SELinux X-Windows Support**](x_windows.md#x-windows-selinux-support)
section.
-
## Polyinstantiation support in the Reference Policy
The reference policy *files.te* and *files.if* modules (in the kernel
@@ -226,8 +220,6 @@ boolean is set *false* (off).
The polyinstantiation of X-Windows objects (*x_selection* and
*x_property*) are not currently supported by the reference policy.
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/rbac.md b/src/rbac.md
index 7bb1b4f..4063e38 100644
--- a/src/rbac.md
+++ b/src/rbac.md
@@ -22,8 +22,6 @@ Some policies, for example Android, only make use of one role called *r*.
**Figure 4: Role Based Access Control** - *Showing how SELinux controls
access via user, role and domain type association.*
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/reference_policy.md b/src/reference_policy.md
index 760d154..7b7dd64 100644
--- a/src/reference_policy.md
+++ b/src/reference_policy.md
@@ -26,7 +26,6 @@ In most documentation the policy name is defined using the
*/etc/selinux/config* file entry **SELINUXTYPE=**. This part of the Notebook
uses both forms.
-
### Reference Policy Overview
Strictly speaking the 'Reference Policy' should refer to the policy
@@ -71,7 +70,6 @@ section explains a simple build from source.
**Figure 26: The Reference Policy Source Tree** - *When building a modular policy, files are added to the policy store. For monolithic builds the policy store is not used.*
-
The Reference Policy can be used to build two policy types:
1. **Loadable Module Policy** - A policy that has a
@@ -93,7 +91,6 @@ forming a single 'base' source file.
The Reference Policy relies heavily on the ***m4**(1)* macro processor
as the majority of supporting services are m4 macros.
-
### Distributing Policies
It is possible to distribute the Reference Policy in two forms:
@@ -134,7 +131,6 @@ The selinux-policy-sandbox rpm contains the sandbox module for use by the
*policycoreutils-sandbox* package. This will be installed as a module for
one of the three main policies described above.
-
### Policy Functionality
As can be seen from the policies distributed with Fedora above, they can
@@ -148,7 +144,6 @@ the *SELINUXTYPE* entry of the *build.conf* as shown in
and can also confine other areas and users.
- mls - MLS policy for server based systems.
-
### Reference Policy Module Files
The reference policy modules are constructed using a mixture of
@@ -310,7 +305,6 @@ interface(*ada_run',*
/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0)
```
-
### Reference Policy Documentation
One of the advantages of the reference policy is that it is possible to
@@ -338,7 +332,6 @@ the ada module interfaces.
**Figure 27: Example Documentation Screen Shot**
-
## Reference Policy Source
This section explains the source layout and configuration files, with
@@ -351,7 +344,6 @@ updated with the authors comments as necessary). There is also a VERSION
file that contains the Reference Policy release date, this can then be used to
obtain a change list <https://github.com/SELinuxProject/refpolicy/releases>.
-
### Source Layout
**Figure 26: The Reference Policy Source Tree** shows the layout of the
@@ -376,7 +368,6 @@ The
section then describes how the initial source is installed and
configured to allow a policy to be built.
-
### Reference Policy Files and Directories
**Table 1: The Reference Policy Files and Directories** shows the major
@@ -535,13 +526,11 @@ modular policy is being built. This file is explained in the
**Table 1: The Reference Policy Files and Directories**
-
### Source Configuration Files
There are two major configuration files (build.conf and modules.conf)
that define the policy to be built and are detailed in this section.
-
#### Reference Policy Build Options - build.conf
This file defines the policy type to be built that will influence its
@@ -550,7 +539,6 @@ An example file content is shown in the
[**Installing and Building the Reference Policy Source**](#installing-and-building-the-reference-policy-source)
section where it is used to install and then build the policy.
-
**Table 2:** *build.conf* **Entries** explains the fields that can be defined within this file, however
there are a number of *m4* macro parameters that are set up when this file is
read by the build process makefiles. These macro definitions are shown
@@ -647,7 +635,6 @@ policy is built with examples shown in the
**Table 2:** *build.conf* **Entries**
-
<table>
<tbody>
<tr style="background-color:#F2F2F2;">
@@ -705,7 +692,6 @@ policy is built with examples shown in the
**Table 3: m4 parameters set at build time** - *These have been extracted from the Reference Policy Makefile.*
-
#### Reference Policy Build Options - policy/modules.conf
This file will not be present until *make conf* is run and controls
@@ -908,7 +894,6 @@ reference policy are different)
**Table 4: Mandatory modules.conf Entries**
-
##### Building the modules.conf File
The file can be created by an editor, however it is generally built
@@ -921,7 +906,6 @@ As will be seen in the
pre-configured files that are used to produce the required policy including
multiple versions of the *modules.conf* file.
-
### Source Installation and Build Make Options
This section explains the various make options available that have been
@@ -967,7 +951,6 @@ taken from the *README* file.
**Table 5: General Build Make Targets**
-
<table>
<tbody>
<tr style="background-color:#F2F2F2;">
@@ -1054,7 +1037,6 @@ taken from the *README* file.
**Table 7: Monolithic Policy Build Make Targets**
-
### Booleans, Global Booleans and Tunable Booleans
The three files *booleans.conf*, *global_booleans* and *global_tunables* are
@@ -1081,7 +1063,6 @@ built and used as follows:
</tbody>
</table>
-
### Modular Policy Build Structure
This section explains the way a modular policy is constructed, this does
@@ -1209,7 +1190,6 @@ in **Table 9: Module Build**.
**Table 8: Base Module Build** - *This shows the temporary build files used to build the base module 'base.conf' as a part of the 'make' process. Note that the modules marked as base in modules.conf are built here.*
-
<table>
<tbody>
<tr style="background-color:#F2F2F2;">
@@ -1246,7 +1226,6 @@ in **Table 9: Module Build**.
**Table 9: Module Build** - *This shows the module files and the temporary build files used to build each module as a part of the 'make' process (i.e. those modules marked as module in modules.conf).*
-
### Creating Additional Layers
One objective of the reference policy is to separate the modules into
@@ -1271,7 +1250,6 @@ completed:
<summary>ABC modules for the XYZ components.</summary>
```
-
## Installing and Building the Reference Policy Source
This section will give a brief overview of how to build the Reference
@@ -1280,7 +1258,6 @@ the Fedora targeted policy. The Fedora version of the targeted
policy build is discussed but building without using the rpm spec file
is more complex.
-
### Building Standard Reference Policy
This will run through a simple configuration process and build of a
@@ -1420,7 +1397,6 @@ WERROR = n
as ***apol**(8)* or loaded by editing the */etc/selinux/config*
file, running '*touch /.autorelabel*' and rebooting the system.
-
### Building the Fedora Policy
Note, the Fedora [**selinux-policy**](https://github.com/fedora-selinux)
@@ -1591,7 +1567,6 @@ QUIET = n
'*touch /.autorelabel*' and rebooting the system. It should have the
same number of rules, types, classes etc. as the original release.
-
## Reference Policy Headers
This method of building policy and adding new modules is used for
@@ -1627,7 +1602,6 @@ source two steps are required:
- Copy the module interface files (*.if*) to the relevant module
directories at: */usr/share/selinux/<SELINUXTYPE>/include/modules*.
-
### Using the Reference Policy Headers
Note that this section describes the standard Reference Policy headers,
@@ -1697,7 +1671,6 @@ modules built from headers.
**Table 10: Header Policy Build Make Targets**
-
### Using Fedora Supplied Headers
The Fedora distribution installs the headers in a slightly different
@@ -1712,7 +1685,6 @@ manner as Fedora installs:
- The documentation is installed in the
*/usr/share/doc/selinux-policy/html* directory.
-
## Reference Policy Support Macros
This section explains some of the support macros used to build reference
@@ -1864,7 +1836,6 @@ Incorrect:
policy_module (ftp, 1.7.0)
```
-
### Loadable Policy Macros
The loadable policy module support macros are located in the
@@ -1950,7 +1921,6 @@ require {
}
```
-
#### *gen_require* Macro
For use within module files to insert a *require* block.
@@ -2013,7 +1983,6 @@ require {
}
```
-
#### *optional_policy* Macro
For use within module files to insert an *optional* block that will be
@@ -2180,7 +2149,6 @@ optional {
} # end optional
```
-
#### *gen_tunable* Macro
This macro defines booleans that are global in scope. The corresponding
@@ -2336,7 +2304,6 @@ if (allow_ftpd_use_nfs && allow_ftpd_anon_write) {
} # end allow_ftpd_use_nfs && allow_ftpd_anon_write
```
-
#### *interface* Macro
Access *interface* macros are defined in the interface module file (*.if*)
@@ -2456,7 +2423,6 @@ optional {
} # end optional
```
-
#### *template* Macro
A template interface is used to help create a domain and set up the
@@ -2609,7 +2575,6 @@ template(*djbdns_daemontools_domain_template',*
##### end djbdns_daemontools_domain_template(dnscache) depth: 0
```
-
### Miscellaneous Macros
These macros are in the *misc_macros.spt* file.
@@ -2679,7 +2644,6 @@ gen_context(context[,mls | mcs])
/dev/\.tmp-block-.* -c system_u:object_r:fixed_disk_device_t:s15:c0.c1023
```
-
#### *gen_user* Macro
This macro is used to generate a valid [***user***](user_statements.md#user)
@@ -2758,7 +2722,6 @@ ifdef(*direct_sysadm_daemon',*
')
```
-
**Expanded Macro:**
```
@@ -2777,7 +2740,6 @@ user root roles { sysadm_r staff_r secadm_r auditadm_r } level s0 range s0 - s15
user root prefix sysadm;
```
-
#### *gen_bool* Macro
This macro defines a boolean and requires the following steps:
@@ -2912,7 +2874,6 @@ if( ! secure_mode_insmod ) {
}
```
-
### MLS and MCS Macros
These macros are in the *mls_mcs_macros.spt* file.
@@ -2986,7 +2947,6 @@ category c1;
category c1023;
```
-
#### *gen_sens* Macro
This macro will generate a
@@ -3056,7 +3016,6 @@ sensitivity s1;
sensitivity s15;
```
-
#### *gen_levels* Macro
This macro will generate a [*level*](mls_statements.md#level) for each level
@@ -3128,7 +3087,6 @@ level s1:c0.c1023;
level s15:c0.c1023;
```
-
#### System High/Low Parameters
These macros define system high etc. as shown.
@@ -3183,13 +3141,11 @@ mcs_allcats
c0.c1023
```
-
### *ifdef* / *ifndef* Parameters
This section contains examples of the common *ifdef* / *ifndef*
parameters that can be used in module source files.
-
#### *hide_broken_symptoms*
This is used within modules as shown in the example. The parameter is
@@ -3210,7 +3166,6 @@ ifdef(*hide_broken_symptoms',*
')
```
-
#### *enable_mls* and *enable_mcs*
These are used within modules as shown in the example. The parameters
@@ -3238,7 +3193,6 @@ ifdef(*enable_mcs',*
')
```
-
#### *enable_ubac*
This is used within the *./policy/constraints* configuration file to set
@@ -3268,7 +3222,6 @@ define(*basic_ubac_conditions',*
')
```
-
#### *direct_sysadm_daemon*
This is used within modules as shown in the example. The parameter is
@@ -3291,7 +3244,6 @@ ifndef(*direct_sysadm_daemon',*
')
```
-
## Module Expansion Process
The objective of this section is to show how the modules are expanded by
@@ -3319,8 +3271,6 @@ section.
**Figure 29: The expansion process**
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/role_statements.md b/src/role_statements.md
index ad73750..c11a01d 100644
--- a/src/role_statements.md
+++ b/src/role_statements.md
@@ -95,7 +95,6 @@ role user_r types user_t;
role user_r types chfn_t;
```
-
## *attribute_role*
The *attribute_role* statement declares a role attribute identifier that
@@ -160,7 +159,6 @@ attribute_role role_list_1;
attribute_role srole_list_2;
```
-
## *roleattribute*
The <code>roleattribute</code> statement allows the association of previously
@@ -232,7 +230,6 @@ role service_r;
roleattribute service_r role_list_1;
```
-
## *allow*
The role *allow* rule checks whether a request to change roles is allowed,
@@ -304,7 +301,6 @@ allow from_role_id to_role_id;
allow sysadm_r secadm_r;
```
-
## *role_transition*
The *role_transition* rule specifies that a role transition is required,
@@ -383,7 +379,6 @@ role_transition current_role_id type_id : class new_role_id;
role_transition system_r unconfined_exec_t:process unconfined_r;
```
-
## *dominance* - Deprecated
This rule has been deprecated and therefore should not be used. The role
@@ -465,7 +460,6 @@ Where:
dominance { role message_filter_r { role unconfined_r };}
```
-
<!-- %CUTHERE% -->
---
diff --git a/src/seandroid.md b/src/seandroid.md
index f3537c5..b1833eb 100644
--- a/src/seandroid.md
+++ b/src/seandroid.md
@@ -42,7 +42,6 @@ The sections that follow cover:
8. Logging and auditing
9. Configuration file formats
-
## SE for Android Project Updates
This gives a high level view of the new and updated projects to support
@@ -128,7 +127,6 @@ Provides the policy build tool. Added support for MacOS X. Not available
on the device as policy rebuilds are done in the development environment.
There are no specific updates to support Android except an *Android.bp* file.
-
### ***bootable/recovery***
Changes to manage file labeling on recovery using functions such as
@@ -197,7 +195,6 @@ Build information for each device that includes device specific policy as
discussed in the [**The SELinux Policy**](#the-selinux-policy) and
[**Managing Device Policy Files**](#managing-device-policy-files) sections.
-
## Kernel LSM / SELinux Support
The paper "Security Enhanced (SE) Android: Bringing Flexible MAC to
@@ -220,7 +217,6 @@ Kernel 5.0+ supports Dynamically Allocated Binder Devices, therefore
configuring specific devices (e.g. **CONFIG_ANDROID_BINDER_DEVICES="binder"**)
is no longer required (use ***CONFIG_ANDROID_BINDERFS=y*** instead).
-
## Android Classes & Permissions
Additional classes have been added to Android and are listed in the
@@ -463,7 +459,6 @@ not all are required for Android.
</tbody>
</table>
-
## SELinux Commands
A subset of the Linux SELinux commands have been implemented in Android
@@ -527,7 +522,6 @@ adb shell pm list permissions -g
</tbody>
</table>
-
## SELinux Public Methods
The public methods implemented are equivalent to *libselinux* functions
@@ -630,7 +624,6 @@ TV package *AboutFragment.java* calls **SELinux.isSELinuxEnabled()**.
</tbody>
</table>
-
## Android Init Language SELinux Extensions
The Android init process language has been expanded to support SELinux
@@ -676,7 +669,6 @@ service ueventd /system/bin/ueventd
restorecon --recursive --skip-ce /data
```
-
## The SELinux Policy
This section covers the SELinux policy, its supporting configuration files
@@ -975,7 +967,6 @@ domains (not allowed) and *neverallow* assertions
**version_policy** - Takes the given public platform policy, a private policy
and a version number to produced a combined "versioned" policy file.
-
## Logging and Auditing
Android supports auditing of SELinux events via the AOSP logger
@@ -1002,7 +993,6 @@ in the kernel buffers that can be read using ***dmesg**(1)*:
adb shell dmesg
```
-
## Policy File Formats
This section details the following Android policy files:
@@ -1118,7 +1108,6 @@ example taken from *device/generic/goldfish/fstab.ranchu*:
/dev/block/pci/pci0000:00/0000:00:06.0/by-name/metadata /metadata ext4 .....
```
-
### ***seapp_contexts***
The build process supports additional *seapp_contexts* files allowing
@@ -1367,7 +1356,6 @@ LABEL USER PID PPID NAME
u:r:untrusted_app:s0:c149,c256,c512,c768 u0_a149 1138 64 com.example.myapplication
```
-
### ***property_contexts***
This file holds property service keys and their contexts that are
@@ -1386,7 +1374,6 @@ property_key security_context type value
type = prefix or exact
value = int, double, bool or string
-
Example entries:
```
@@ -1411,7 +1398,6 @@ ro.telephony.call_ring.multiple u:object_r:telephony_config_prop:s0 exact bool
ro.telephony.default_cdma_sub u:object_r:telephony_config_prop:s0 exact int
```
-
### ***service_contexts***
This file holds binder service keys and their contexts that are matched
@@ -1462,7 +1448,6 @@ manager u:object_r:service_manager_vndservice:s0
* u:object_r:default_android_vndservice:s0
```
-
### ***mac_permissions.xml***
The *mac_permissions.xml* file is used to configure Run/Install-time MMAC
@@ -1549,7 +1534,6 @@ file:
</signer>
```
-
### ***keys.conf***
The *keys.conf* file is used by **insertkeys.py** for mapping the
@@ -1589,8 +1573,6 @@ USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
```
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/security_context.md b/src/security_context.md
index c002c81..3ca93a2 100644
--- a/src/security_context.md
+++ b/src/security_context.md
@@ -116,7 +116,6 @@ unconfined_u:object_r:out_file_t Message-11
# (see the process example above). The role remained as object_r.
```
-
<!-- %CUTHERE% -->
---
diff --git a/src/selinux_cmds.md b/src/selinux_cmds.md
index 077ffb6..918d4c1 100644
--- a/src/selinux_cmds.md
+++ b/src/selinux_cmds.md
@@ -152,8 +152,6 @@ has a page that details all the available tools and commands at:
</tbody>
</table>
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/selinux_overview.md b/src/selinux_overview.md
index 0fa89b9..a71b762 100644
--- a/src/selinux_overview.md
+++ b/src/selinux_overview.md
@@ -43,7 +43,6 @@ locations as follows:
</tbody>
</table>
-
## Is SELinux useful
There are many views on the usefulness of SELinux on Linux based
@@ -124,7 +123,6 @@ The following maybe useful in providing a practical view of SELinux:
4. Older NSA documentation at: <https://www.nsa.gov/what-we-do/research/selinux/documentation/>
that is informative.
-
<!-- %CUTHERE% -->
---
diff --git a/src/sid_statement.md b/src/sid_statement.md
index dfe5684..07feb2c 100644
--- a/src/sid_statement.md
+++ b/src/sid_statement.md
@@ -73,7 +73,6 @@ sid unlabeled
sid fs
```
-
## *sid context*
The *sid context* statement is used to associate an initial security
@@ -151,7 +150,6 @@ sid unlabeled
sid unlabeled system_u:object_r:unlabeled_t:s15:c0.c255
```
-
<!-- %CUTHERE% -->
---
diff --git a/src/subjects.md b/src/subjects.md
index 38c7fe1..4f677cb 100644
--- a/src/subjects.md
+++ b/src/subjects.md
@@ -37,15 +37,12 @@ under *semanage_t*).
**Untrusted** - Everything else.
-
<section class="footnotes">
<ol>
<li id="fns1"><p>The object class and its associated permissions are explained in the <strong><a href="object_classes_permissions.md#process-object-class"> Appendix A - Object Classes and Permissions - Process Object Class</a></strong> section.<a href="#fnsub1" class="footnote-back">↩</a></p></li>
</ol>
</section>
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/terminology.md b/src/terminology.md
index 59e9c0f..77eaade 100644
--- a/src/terminology.md
+++ b/src/terminology.md
@@ -37,7 +37,6 @@
| UID | User Identifier |
| XACE | X (windows) Access Control Extension |
-
## Terminology
These give a brief introduction to the major components that form the
@@ -116,8 +115,6 @@ core SELinux infrastructure.
</tbody>
</table>
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/title.md b/src/title.md
index 68a4eb1..b218559 100644
--- a/src/title.md
+++ b/src/title.md
@@ -80,7 +80,6 @@ Android.
**Object Classes and Permissions** - Describes the SELinux object
classes and permissions.
-
<!-- %CUTHERE% -->
---
diff --git a/src/toc.md b/src/toc.md
index 2bd299b..d7a4a72 100644
--- a/src/toc.md
+++ b/src/toc.md
@@ -61,7 +61,6 @@
- [Appendix D - Debugging Policy - Hints and Tips](debug_policy_hints.md#appendix-d---debugging-policy---hints-and-tips)
- [Appendix E - Policy Validation Example](policy_validation_example.md#appendix-e---policy-validation-example)
-
<!-- %CUTHERE% -->
---
diff --git a/src/type_enforcement.md b/src/type_enforcement.md
index 20f14af..d8d08be 100644
--- a/src/type_enforcement.md
+++ b/src/type_enforcement.md
@@ -54,7 +54,6 @@ any SELinux service (i.e. it is only used to identify the type
component), although as explained above CIL with namespaces does make
identification of types easier.
-
### Constraints
It is possible to add constraints on users, roles, types and MLS ranges,
@@ -88,7 +87,6 @@ The kernel policy language constraints are defined in the
[**Constraint Statements**](constraint_statements.md#constraint-statements)
section.
-
### Bounds
It is possible to add bounds to users, roles and types, however
@@ -103,8 +101,6 @@ services. The [**Bounds Rules**](bounds_rules.md#bounds-rules)
section defines the *typebounds* rule and also gives a summary of the
*userbounds* and *rolebounds* rules.
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/types_of_policy.md b/src/types_of_policy.md
index 32b36f9..a55fdd0 100644
--- a/src/types_of_policy.md
+++ b/src/types_of_policy.md
@@ -31,7 +31,6 @@ The type of SELinux policy can described in a number of ways:
As can be seen the description of a policy can vary depending on the
context.
-
## Reference Policy
Note that this section only gives an introduction to the Reference
@@ -56,7 +55,6 @@ number of RPMs.
The Reference Policy can be built as a Monolithic policy or as a Modular policy
that has a 'base module' with zero or more optional 'loadable modules'.
-
## Policy Functionality Based on Name or Type
Generally a policy is installed with a given name such as *targeted*,
@@ -93,7 +91,6 @@ The *NAME* and *TYPE* entries are defined in the reference policy
[**Source Configuration Files**](reference_policy.md#source-configuration-files)
section.
-
## Custom Policy
This generally refers to a policy source that is either:
@@ -118,7 +115,6 @@ classes/permissions (see kernel *Documentation/admin-guide/LSM/SELinux.rst*
for build instructions, also the
[**Notebook Sample Policy - README**](./notebook-examples/selinux-policy/README.md)).
-
## Monolithic Policy
A Monolithic policy is an SELinux policy that is compiled from one
@@ -133,7 +129,6 @@ The Reference Policy supports building of monolithic policies.
In some cases the kernel policy binary file is also called a monolithic policy.
-
## Loadable Module Policy
The loadable module infrastructure allows policy to be managed on a
@@ -166,7 +161,6 @@ into the final [**binary policy**](#policy-versions) for loading into
the kernel, see
"[**SELinux Policy Module Primer**](http://securityblog.org/brindle/2006/07/05/selinux-policy-module-primer/)".
-
### Optional Policy
The loadable module policy infrastructure supports an
@@ -174,7 +168,6 @@ The loadable module policy infrastructure supports an
allows policy rules to be defined but only enabled in the binary policy once
the conditions have been satisfied.
-
## Conditional Policy
Conditional policies can be implemented in monolithic or loadable module
@@ -199,7 +192,6 @@ the state of the boolean value or values. See the
[**Conditional Policy Statements**](conditional_statements.md#conditional-policy-statements)
section.
-
## Binary Policy
This is also know as the kernel policy and is the policy file that is
@@ -227,7 +219,6 @@ is supported by Fedora):
*/etc/selinux/targeted/policy/policy.32*
-
## Policy Versions
SELinux has a policy database (defined in the libsepol library) that
@@ -373,8 +364,6 @@ quoted (some SELinux utilities give both version numbers).
**Table 1: Policy version descriptions**
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/users.md b/src/users.md
index b1dec2f..a1a86b1 100644
--- a/src/users.md
+++ b/src/users.md
@@ -24,8 +24,6 @@ the [**Type Enforcement (TE)**](type_enforcement.md#type-enforcement) section.
Some policies, for example Android, only make use of one user called *u*.
-
-
<!-- %CUTHERE% -->
---
diff --git a/src/vm_support.md b/src/vm_support.md
index 07ad32f..80d5cd5 100644
--- a/src/vm_support.md
+++ b/src/vm_support.md
@@ -122,7 +122,6 @@ ls -Z /var/lib/libvirt/images
system_u:object_r:svirt_image_t:s0:c585,c813 Dynamic_VM1.img
system_u:object_r:svirt_image_t:s0:c535,c601 Dynamic_VM2.img
-
ps -eZ | grep qemu
system_u:system_r:svirt_tcg_t:s0:c585,c813 8707 ? 00:00:44 qemu-system-x86
@@ -228,7 +227,6 @@ initialisation process will take place:
The following example shows each VM having the same file label but
different process labels:
-
| VM Image | Object | Security context |
| -------------------| ----------| -------------------------------------------- |
| Shareable_VM | *process* | *system_u:system_r:svirt_tcg_t:s0:c231,c245* |
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [RFC,selinux-notebook PATCH 16/18] kernel_policy_language: convert the footnotes to markdown
2020-08-04 1:33 [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Paul Moore
` (13 preceding siblings ...)
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 15/18] all: consolidate multiple blank lines into one Paul Moore
@ 2020-08-04 1:35 ` Paul Moore
2020-08-04 1:35 ` [RFC,selinux-notebook PATCH 17/18] title: assorted updates Paul Moore
` (2 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Paul Moore @ 2020-08-04 1:35 UTC (permalink / raw)
To: selinux
There are still more footnotes that need to be converted, and the
kernel_policy_language.md file still needs to be fully converted to
markdown, but this resolved a problem seen while building the PDF.
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
src/kernel_policy_language.md | 38 +++++++++++++++++++++++---------------
1 file changed, 23 insertions(+), 15 deletions(-)
diff --git a/src/kernel_policy_language.md b/src/kernel_policy_language.md
index eba0564..a4118f9 100644
--- a/src/kernel_policy_language.md
+++ b/src/kernel_policy_language.md
@@ -6,9 +6,9 @@ then has links to each section within this document.
## Policy Source Files
-There are three basic types of policy source file<strong><a href="#fn1" class="footnote-ref" id="fnker1"><sup>1</sup></a></strong> that can contain language statements
-and rules. The three types of policy
-source file<strong><a href="#fn2" class="footnote-ref" id="fnker2"><sup>2</sup></a></strong> are:
+There are three basic types of policy source file[^fn_kpl_1] that can contain
+language statements and rules. The three types of policy source file[^fn_kpl_2]
+are:
**Monolithic Policy** - This is a single policy source file that
contains all statements. By convention this file is called policy.conf
@@ -739,7 +739,7 @@ within an *if/else* construct, *optional {rule_list}*, or
<td>neverallow</td>
<td>Yes</td>
<td>Yes</td>
-<td><strong>Yes</strong><sup><strong><a href="#fnk3" class="footnote-ref" id="fnker3"><sup>3</sup></a></strong></sup></td>
+<td><strong>Yes</strong>[^fn_kpl_3]</td>
<td>No</td>
<td>Yes</td>
<td>No</td>
@@ -801,9 +801,9 @@ within an *if/else* construct, *optional {rule_list}*, or
<tr>
<td>require</td>
<td>No</td>
-<td><strong>Yes</strong><sup><strong><a href="#fnk4" class="footnote-ref" id="fnker4"><sup>4</sup></a></strong></sup></td>
+<td><strong>Yes</strong>[^fn_kpl_4]</td>
<td>Yes</td>
-<td><strong>Yes</strong><sup><strong><a href="#fnk5" class="footnote-ref" id="fnker5"><sup>5</sup></a></strong></sup></td>
+<td><strong>Yes</strong>[^fn_kpl_5]</td>
<td>Yes</td>
<td>No</td>
</tr>
@@ -969,15 +969,23 @@ Note these are not kernel policy statements, but used by the Reference Policy
to assist policy build:
- [Modular Policy Support Statements](modular_policy_statements.md#modular-policy-support-statements)
-<section class="footnotes">
-<ol>
-<li id="fn1"><p>It is important to note that the <strong>Reference Policy</strong> builds policy using makefiles and m4 support macros within its own source file structure. However, the end result of the make process is that there can be three possible types of source file built (depending on the <strong>MONOLITHIC=Y/N</strong> build option). These files contain the policy language statements and rules that are finally complied into a binary policy.<a href="#fnker1" class="footnote-back">↩</a></p></li>
-<li id="fn2"><p>This does not include the <em>file_contexts</em> file as it does not contain policy statements, only default security contexts (labels) that will be used to label files and directories.<a href="#fnker2" class="footnote-back">↩</a></p></li>
-<li id="fnk3"><p><code>neverallow</code> statements are allowed in modules, however to detect these the <em>semanage.conf</em> file must have the <code>expand-check=1</code> entry present.<a href="#fnker3" class="footnote-back">↩</a></p></li>
-<li id="fnk4"><p>Only if preceded by the <code>optional</code> statement.<a href="#fnker4" class="footnote-back">↩</a></p></li>
-<li id="fnk5"><p>Only if preceded by the <code>optional</code> statement.<a href="#fnker5" class="footnote-back">↩</a></p></li>
-</ol>
-</section>
+[^fn_kpl_1]: It is important to note that the Reference Policy builds policy
+using makefiles and m4 support macros within its own source file structure.
+However, the end result of the make process is that there can be three possible
+types of source file built (depending on the *MONOLITHIC=Y/N* build option).
+These files contain the policy language statements and rules that are finally
+complied into a binary policy.
+
+[^fn_kpl_2]: This does not include the *file_contexts* file as it does not
+contain policy statements, only default security contexts (labels) that will be
+used to label files and directories.
+
+[^fn_kpl_3]: *neverallow* statements are allowed in modules, however to detect
+these the *semanage.conf* file must have the *expand-check=1* entry present.
+
+[^fn_kpl_4]: Only if preceded by the *optional* statement.
+
+[^fn_kpl_5]: Only if preceded by the *optional* statement.
<!-- %CUTHERE% -->
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [RFC,selinux-notebook PATCH 17/18] title: assorted updates
2020-08-04 1:33 [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Paul Moore
` (14 preceding siblings ...)
2020-08-04 1:35 ` [RFC,selinux-notebook PATCH 16/18] kernel_policy_language: convert the footnotes to markdown Paul Moore
@ 2020-08-04 1:35 ` Paul Moore
2020-08-04 1:35 ` [RFC,selinux-notebook PATCH 18/18] x_windows: don't call table 12 a table Paul Moore
2020-08-04 10:31 ` [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Richard Haines
17 siblings, 0 replies; 24+ messages in thread
From: Paul Moore @ 2020-08-04 1:35 UTC (permalink / raw)
To: selinux
Several small updates to the title page(s), in no particular order:
- Add my name to the copyright list
- Add an acknowledgment to Richard thanking him for donating the
notebook's source material
- Updated the link for Máirín Duffy
- Provide a link to the GitHub repo so people can find the most
recent release
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
src/title.md | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/src/title.md b/src/title.md
index b218559..5c98d9d 100644
--- a/src/title.md
+++ b/src/title.md
@@ -20,7 +20,9 @@
## Copyright Information
-Copyright © 2020 [*Richard Haines*](mailto:richard_c_haines@btinternet.com).
+Copyright (c) 2020 [*Richard Haines*](mailto:richard_c_haines@btinternet.com)
+
+Copyright (c) 2020 [*Paul Moore*](mailto:paul@paul-moore.com)
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -30,7 +32,10 @@ See: **<http://www.gnu.org/licenses/fdl-1.3.html>**
## Acknowledgements
-Logo designed by [*Máirín Duffy*](http://pookstar.deviantart.com/)
+The Notebook was originally created by *Richard Haines* who graciously donated
+the source material to the SELinux project.
+
+The SELinux logo was designed by [*Máirín Duffy*](https://blog.linuxgrrl.com).
<!-- %PAGEBREAK% -->
@@ -80,6 +85,13 @@ Android.
**Object Classes and Permissions** - Describes the SELinux object
classes and permissions.
+### Updated Editions
+
+The SELinux Notebook is being maintained as part of the SELinux project, more
+recent editions may be available.
+
+See: **<https://github.com/SELinuxProject/selinux-notebook>**
+
<!-- %CUTHERE% -->
---
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [RFC,selinux-notebook PATCH 18/18] x_windows: don't call table 12 a table
2020-08-04 1:33 [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Paul Moore
` (15 preceding siblings ...)
2020-08-04 1:35 ` [RFC,selinux-notebook PATCH 17/18] title: assorted updates Paul Moore
@ 2020-08-04 1:35 ` Paul Moore
2020-08-04 10:31 ` [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Richard Haines
17 siblings, 0 replies; 24+ messages in thread
From: Paul Moore @ 2020-08-04 1:35 UTC (permalink / raw)
To: selinux
From: Richard Haines <richard_c_haines@btinternet.com>
I've removed the Table 12: reference and reworded. This now just looks
like a list.
Also fixed a few minor nits + added a contents list.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
src/x_windows.md | 146 +++++++++++++++++++++++++++++-------------------------
1 file changed, 79 insertions(+), 67 deletions(-)
diff --git a/src/x_windows.md b/src/x_windows.md
index 6fdd39e..74edc62 100644
--- a/src/x_windows.md
+++ b/src/x_windows.md
@@ -1,5 +1,14 @@
# X-Windows SELinux Support
+- [**Infrastructure Overview**](#infrastructure-overview)
+- [**Polyinstantiation**](#polyinstantiation)
+- [**Configuration Information**](#configuration-information)
+ - [**Enable/Disable the OM from Policy Decisions**](#enabledisable-the-om-from-policy-decisions)
+ - [**Configure OM Enforcement Mode**](#configure-om-enforcement-mode)
+ - [**Determine OM X-extension Opcode**](#determine-om-x-extension-opcode)
+ - [**The *x_contexts* File**](#the-x_contexts-file)
+- [**SELinux Extension Functions**](#selinux-extension-functions)
+
The SELinux X-Windows (XSELinux) implementation provides fine grained
access control over the majority of the X-server objects (known as
resources) using an X-Windows extension acting as the object manager
@@ -53,7 +62,7 @@ information that is required by the OM for labeling certain objects. The
OM reads its contents using the ***selabel_lookup**(3)* function.
**XSELinux Object Manager** - This is an X-extension for the X-server
-process that mediates all access decisions between the the X-server (via
+process that mediates all access decisions between the X-server (via
the XACE interface) and the SELinux security server (via *libselinux*).
The OM is initialised before any X-clients connect to the X-server.
@@ -235,21 +244,30 @@ A full description of the *x_contexts* file format is given in the
## SELinux Extension Functions
-| Function Name | Minor Parameters | Opcode |
-| --------------------------------- | ---------------- | --------------------- |
-| XSELinuxQueryVersion | 0 | None |
+The XSELinux Extension Functions listed below are supported by the object
+manager as X-protocol extensions.
+
+Note that **XSELinuxGet\*** functions return a default context, however
+those with Minor Parameter: 2, 6, 9, 11, 16 and 18 will not return a value
+unless one has been set by the appropriate **XSELinuxSet\*** function (Minor
+Parameter: 1, 5, 8, 10, 15 and 17).
+
+| Function Name | Minor Parameter | Opcode |
+| --------------------------------- | --------------- | --------------------- |
+| XSELinuxQueryVersion | 0 | None |
Returns the XSELinux version. Fedora returns 1.1.
-| Function Name | Minor Parameters | Opcode |
-| --------------------------------- | ---------------- | --------------------- |
-| XSELinuxSetDeviceCreateContext | 1 | Context + Len |
+
+| Function Name | Minor Parameter | Opcode |
+| --------------------------------- | --------------- | --------------------- |
+| XSELinuxSetDeviceCreateContext | 1 | Context + Len |
Sets the context for creating a device object (*x_device*).
-| Function Name | Minor Parameters | Opcode |
-| --------------------------------- | ---------------- | --------------------- |
-| XSELinuxGetDeviceCreateContext | 2 | None |
+| Function Name | Minor Parameter | Opcode |
+| --------------------------------- | --------------- | --------------------- |
+| XSELinuxGetDeviceCreateContext | 2 | None |
Retrieves the context set by *XSELinuxSetDeviceCreateContext*.
@@ -259,115 +277,115 @@ Retrieves the context set by *XSELinuxSetDeviceCreateContext*.
Sets the context for creating the specified DeviceID object.
-| Function Name | Minor Parameters | Opcode |
-| --------------------------------- | ---------------- | --------------------- |
-| XSELinuxGetDeviceContext | 4 | DeviceID |
+| Function Name | Minor Parameter | Opcode |
+| --------------------------------- | --------------- | --------------------- |
+| XSELinuxGetDeviceContext | 4 | DeviceID |
Retrieves the context set by *XSELinuxSetDeviceContext*.
-| Function Name | Minor Parameters | Opcode |
+| Function Name | Minor Parameter | Opcode |
| --------------------------------- | ---------------- | --------------------- |
| XSELinuxSetWindowCreateContext | 5 | Context + Len |
Set the context for creating a window object (*x_window*).
-| Function Name | Minor Parameters | Opcode |
-| --------------------------------- | ---------------- | --------------------- |
-| XSELinuxGetWindowCreateContext | 6 | None |
+| Function Name | Minor Parameter | Opcode |
+| --------------------------------- | --------------- | --------------------- |
+| XSELinuxGetWindowCreateContext | 6 | None |
Retrieves the context set by *XSELinuxSetWindowCreateContext*.
-| Function Name | Minor Parameters | Opcode |
-| --------------------------------- | ---------------- | --------------------- |
-| XSELinuxGetWindowContext | 7 | WindowID |
+| Function Name | Minor Parameter | Opcode |
+| --------------------------------- | --------------- | --------------------- |
+| XSELinuxGetWindowContext | 7 | WindowID |
Retrieves the specified WindowID context.
-| Function Name | Minor Parameters | Opcode |
-| --------------------------------- | ---------------- | --------------------- |
-| XSELinuxSetPropertyCreateContext | 8 | Context |
+| Function Name | Minor Parameter | Opcode |
+| --------------------------------- | --------------- | --------------------- |
+| XSELinuxSetPropertyCreateContext | 8 | Context |
Sets the context for creating a property object (*x_property*).
-| Function Name | Minor Parameters | Opcode |
-| --------------------------------- | ---------------- | --------------------- |
-| XSELinuxGetPropertyCreateContext | 9 | None |
+| Function Name | Minor Parameter | Opcode |
+| --------------------------------- | --------------- | --------------------- |
+| XSELinuxGetPropertyCreateContext | 9 | None |
Retrieves the context set by *XSELinuxSetPropertyCreateContext*.
-| Function Name | Minor Parameters | Opcode |
-| --------------------------------- | ---------------- | --------------------- |
-| XSELinuxSetPropertyUseContext | 10 | Context + Len |
+| Function Name | Minor Parameter | Opcode |
+| --------------------------------- | --------------- | --------------------- |
+| XSELinuxSetPropertyUseContext | 10 | Context + Len |
Sets the context of the property object to be retrieved when polyinstantiation
is being used.
-| Function Name | Minor Parameters | Opcode |
-| --------------------------------- | ---------------- | --------------------- |
-| XSELinuxGetPropertyUseContext | 11 | None |
+| Function Name | Minor Parameter | Opcode |
+| --------------------------------- | --------------- | --------------------- |
+| XSELinuxGetPropertyUseContext | 11 | None |
Retrieves the property object context set by *SELinuxSetPropertyUseContext*.
-| Function Name | Minor Parameters | Opcode |
-| --------------------------------- | ---------------- | --------------------- |
-| XSELinuxGetPropertyContext | 12 | WindowID + AtomID |
+| Function Name | Minor Parameter | Opcode |
+| --------------------------------- | --------------- | --------------------- |
+| XSELinuxGetPropertyContext | 12 | WindowID + AtomID |
Retrieves the context of the property atom object.
-| Function Name | Minor Parameters | Opcode |
-| --------------------------------- | ---------------- | --------------------- |
-| XSELinuxGetPropertyDataContext | 13 | WindowID + AtomID |
+| Function Name | Minor Parameter | Opcode |
+| --------------------------------- | --------------- | --------------------- |
+| XSELinuxGetPropertyDataContext | 13 | WindowID + AtomID |
Retrieves the context of the property atom data.
-| Function Name | Minor Parameters | Opcode |
+| Function Name | Minor Parameter | Opcode |
| --------------------------------- | ---------------- | --------------------- |
| XSELinuxListProperties | 14 | WindowID |
Lists the object and data contexts of properties associated with the selected
WindowID.
-| Function Name | Minor Parameters | Opcode |
-| --------------------------------- | ---------------- | --------------------- |
-| XSELinuxSetSelectionCreateContext | 15 | Context + Len |
+| Function Name | Minor Parameter | Opcode |
+| --------------------------------- | --------------- | --------------------- |
+| XSELinuxSetSelectionCreateContext | 15 | Context + Len |
Sets the context to be used for creating a selection object.
-| Function Name | Minor Parameters | Opcode |
-| --------------------------------- | ---------------- | --------------------- |
-| XSELinuxGetSelectionCreateContext | 16 | None |
+| Function Name | Minor Parameter | Opcode |
+| --------------------------------- | --------------- | --------------------- |
+| XSELinuxGetSelectionCreateContext | 16 | None |
Retrieves the context set by *SELinuxSetSelectionCreateContext*.
-| Function Name | Minor Parameters | Opcode |
-| --------------------------------- | ---------------- | --------------------- |
-| XSELinuxSetSelectionUseContext | 17 | Context + Len |
+| Function Name | Minor Parameter | Opcode |
+| --------------------------------- | --------------- | --------------------- |
+| XSELinuxSetSelectionUseContext | 17 | Context + Len |
Sets the context of the selection object to be retrieved when polyinstantiation
is being used. See the *XSELinuxListSelections* function for an example.
-| Function Name | Minor Parameters | Opcode |
-| --------------------------------- | ---------------- | --------------------- |
-| XSELinuxGetSelectionUseContext | 18 | None |
+| Function Name | Minor Parameter | Opcode |
+| --------------------------------- | --------------- | --------------------- |
+| XSELinuxGetSelectionUseContext | 18 | None |
Retrieves the selection object context set by *SELinuxSetSelectionUseContext*.
-| Function Name | Minor Parameters | Opcode |
+| Function Name | Minor Parameter | Opcode |
| --------------------------------- | ---------------- | --------------------- |
| XSELinuxGetSelectionContext | 19 | AtomID |
Retrieves the context of the specified selection atom object.
-| Function Name | Minor Parameters | Opcode |
-| --------------------------------- | ---------------- | --------------------- |
-| XSELinuxGetSelectionDataContext | 20 | AtomID |
+| Function Name | Minor Parameter | Opcode |
+| --------------------------------- | --------------- | --------------------- |
+| XSELinuxGetSelectionDataContext | 20 | AtomID |
Retrieves the context of the selection data from the current selection owner
(*x_application_data* object).
-| Function Name | Minor Parameters | Opcode |
-| --------------------------------- | ---------------- | --------------------- |
-| XSELinuxListSelections | 21 | None |
+| Function Name | Minor Parameter | Opcode |
+| --------------------------------- | --------------- | --------------------- |
+| XSELinuxListSelections | 21 | None |
Lists the selection atom object and data contexts associated with this display.
The main difference in the listings is that when (for example) the *PRIMARY*
@@ -391,18 +409,12 @@ Atom: PRIMARY - Labels for client 2:
- Object Context: *system_u:object_r:x_select_paste2_t*
- Data Context: *system_u:object_r:x_select_paste2_t*
-| Function Name | Minor Parameters | Opcode |
-| --------------------------------- | ---------------- | --------------------- |
-| XSELinuxGetClientContext | 22 | ResourceID |
+| Function Name | Minor Parameter | Opcode |
+| --------------------------------- | --------------- | --------------------- |
+| XSELinuxGetClientContext | 22 | ResourceID |
Retrieves the client context of the specified ResourceID.
-**Table 12: The XSELinux Extension Functions** - *Supported by the object
-manager as X-protocol extensions. Note that some functions will return
-the default contexts, while others (2, 6, 9, 11, 16, 18) will not return
-a value unless one has been set the the appropriate function (1, 5, 8,
-10, 15, 17) by an SELinux-aware application.*
-
<!-- %CUTHERE% -->
---
^ permalink raw reply related [flat|nested] 24+ messages in thread
* Re: [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups
2020-08-04 1:33 [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Paul Moore
` (16 preceding siblings ...)
2020-08-04 1:35 ` [RFC,selinux-notebook PATCH 18/18] x_windows: don't call table 12 a table Paul Moore
@ 2020-08-04 10:31 ` Richard Haines
2020-08-06 1:58 ` Paul Moore
17 siblings, 1 reply; 24+ messages in thread
From: Richard Haines @ 2020-08-04 10:31 UTC (permalink / raw)
To: Paul Moore, selinux
On Mon, 2020-08-03 at 21:33 -0400, Paul Moore wrote:
> This patchset helps to get us a little closer to finishing the work
> of converting The SELinux Notebook to markdown. I believe this is
> a worthwhile goal for two main reasons: it makes the raw markdown
> much easier to read (the HTML tables are painful in source form),
> and it makes it easier to render the markdown into different formats
> (currently HTML and PDF).
>
> My original goal for this patchset was to complete the markdown
> conversion before posting the series, but I now realize that was
> neither a practical or good idea. While this patchset may miss my
> original goal, I do believe it is a step forward both in terms of the
> raw markdown and the rendered formats, and I would suggest we merge
> these changes assuming no strong objections.
>
> For those who want to quickly check the markdown on GitHub or the
> rendered HTML and PDF formats, I've included the links below:
>
> * https://drop.paul-moore.com/21.HGW6/SELinux_Notebook.pdf
> * https://drop.paul-moore.com/21.HGW6/SELinux_Notebook.html
> *
> https://github.com/pcmoore/misc-selinux_notebook/tree/working-md_full
>
I'm okay with these changes.
The changes of tables to lists in the policy rules files
(xperms_rules.md etc.) makes the text much easier on the eye when
reading in all formats. Splitting the policy types looks better too.
I think a small number of the HTML tables will be difficult to convert
to pipe tables, also others when converted may require the HTML <br> to
make them more readable (using <br> seems to be the only way to get
line breaks in pipe tables). Still, see how it goes !!
Acked-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
>
> Paul Moore (16):
> build: explicitly enable pandoc pipe_tables
> css: identify table layout hacks
> css: style improvements
> x_windows: fully convert to markdown
> xperm_rules: fully convert to markdown
> xen_statements: fully convert to markdown
> vm_support: fully convert to markdown
> user_statements: fully convert to markdown
> userspace_libraries: fully convert to markdown
> type_statements: fully convert to markdown
> all: remove all the <br> tags we haven't gotten to yet
> all: unify example formatting (scripts, code, policy, etc) in
> markdown
> all: don't use "`" for formatting text, use "*" instead
> all: consolidate multiple blank lines into one
> kernel_policy_language: convert the footnotes to markdown
> title: assorted updates
>
> Richard Haines (2):
> postgresql: update PostgreSQL SELinux Support section
> x_windows: don't call table 12 a table
>
>
> src/apache_support.md | 53 +--
> src/auditing.md | 36 +-
> src/avc_rules.md | 48 +--
> src/bounds_rules.md | 18 +-
> src/cil_overview.md | 43 +-
> src/class_permission_statements.md | 44 +-
> src/computing_access_decisions.md | 2 -
> src/computing_security_contexts.md | 224 +++++-----
> src/conditional_statements.md | 36 +-
> src/configuration_files.md | 10 +-
> src/constraint_statements.md | 52 +--
> src/core_components.md | 10 -
> src/debug_policy_hints.md | 5 -
> src/default_rules.md | 40 +-
> src/domain_object_transitions.md | 138 +++---
> src/file_labeling_statements.md | 58 ++-
> src/global_config_files.md | 16 +-
> src/images/24-database-table.png | Bin 44747 -> 0 bytes
> src/implementing_seaware_apps.md | 28 +-
> src/infiniband_statements.md | 36 +-
> src/kernel_policy_language.md | 59 ++-
> src/libselinux_functions.md | 4 +-
> src/lsm_selinux.md | 161 ++++---
> src/mac.md | 5 -
> src/mls_mcs.md | 45 +-
> src/mls_statements.md | 84 ++--
> src/modes.md | 7 +-
> src/modular_policy_statements.md | 28 +-
> src/network_statements.md | 80 ++--
> src/network_support.md | 78 ++--
> src/object_classes_permissions.md | 255 +++++------
> src/objects.md | 40 +-
> src/pam_login.md | 7 +-
> src/policy_config_files.md | 182 ++++----
> src/policy_config_statements.md | 10 +-
> src/policy_languages.md | 2 -
> src/policy_store_config_files.md | 137 +++---
> src/policy_validation_example.md | 14 +-
> src/polyinstantiation.md | 31 +-
> src/postgresql.md | 145 +++----
> src/rbac.md | 9 +-
> src/reference_policy.md | 321 ++++++--------
> src/role_statements.md | 82 ++--
> src/seandroid.md | 91 ++--
> src/security_context.md | 10 +-
> src/selinux_cmds.md | 3 -
> src/selinux_overview.md | 4 -
> src/sid_statement.md | 24 +-
> src/styles_html.css | 16 +-
> src/styles_pdf.css | 24 +-
> src/subjects.md | 7 +-
> src/terminology.md | 5 -
> src/title.md | 16 +-
> src/toc.md | 4 +-
> src/type_enforcement.md | 55 ++-
> src/type_statements.md | 672 ++++++++++++---------------
> --
> src/types_of_policy.md | 31 +-
> src/user_statements.md | 121 +++---
> src/users.md | 15 +-
> src/userspace_libraries.md | 169 ++++----
> src/vm_support.md | 147 ++-----
> src/x_windows.md | 374 ++++++++--------
> src/xen_statements.md | 370 ++++++----------
> src/xperm_rules.md | 146 +++----
> 64 files changed, 2157 insertions(+), 2830 deletions(-)
> delete mode 100644 src/images/24-database-table.png
>
> --
> paul moore
> www.paul-moore.com
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [RFC,selinux-notebook PATCH 05/18] xperm_rules: fully convert to markdown
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 05/18] xperm_rules: " Paul Moore
@ 2020-08-04 16:14 ` Richard Haines
2020-08-06 2:34 ` Paul Moore
0 siblings, 1 reply; 24+ messages in thread
From: Richard Haines @ 2020-08-04 16:14 UTC (permalink / raw)
To: Paul Moore, selinux
On Mon, 2020-08-03 at 21:33 -0400, Paul Moore wrote:
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
> src/xperm_rules.md | 138 ++++++++++++++++++++++++----------------
> ------------
> 1 file changed, 64 insertions(+), 74 deletions(-)
>
> diff --git a/src/xperm_rules.md b/src/xperm_rules.md
> index 48beb41..21878ea 100644
> --- a/src/xperm_rules.md
> +++ b/src/xperm_rules.md
> @@ -2,8 +2,8 @@
>
> There are three extended AV rules implemented from Policy version 30
> with the target platform 'selinux' that expand the permission sets
> from
> -a fixed 32 bits to permission sets in 256 bit increments:
> `allowxperm`,
> -`dontauditxperm`, `auditallowxperm` and `neverallowxperm`.
> +a fixed 32 bits to permission sets in 256 bit increments:
> *allowxperm*,
> +*dontauditxperm*, *auditallowxperm* and *neverallowxperm*.
>
> The rules for extended permissions are subject to the 'operation'
> they
> perform with Policy version 30 and kernels from 4.3 supporting ioctl
> @@ -16,66 +16,59 @@ libsepol 2.7 minimum is required).
>
> **Where:**
>
> -<table>
> -<tbody>
> -<tr>
> -<td><code>rule_name</code></td>
> -<td>The applicable <code>allowxperm</code>,
> <code>dontauditxperm</code>, <code>auditallowxperm</code> or
> <code>neverallowxperm</code> rule keyword.</td>
> -</tr>
> -<tr>
> -<td><p><code>source_type</code></p>
> -<p><code>target_type</code></p></td>
> -<td><p>One or more source / target <code>type</code>,
> <code>typealias</code> or <code>attribute</code> identifiers.
> Multiple entries consist of a space separated list enclosed in braces
> '{}'. Entries can be excluded from the list by using the negative
> operator '-'.</p>
> -<p>The target_type can have the <code>self</code> keyword instead of
> <code>type</code>, <code>typealias</code> or <code>attribute</code>
> identifiers. This means that the <code>target_type</code> is the same
> as the <code>source_type</code>.</p></td>
> -</tr>
> -<tr>
> -<td><code>class</code></td>
> -<td>One or more object classes. Multiple entries consist of a space
> separated list enclosed in braces '{}'.</td>
> -</tr>
> -<tr>
> -<td><code>operation<code></td>
> -<td>A key word defining the operation to be implemented by the rule.
> Currently only the <code>ioctl</code> operation is supported by the
> kernel policy language and kernel as described in the <a
> href="#ioctl-operation-rules"><code>ioctl</code> Operation Rules</a>
> section.</td>
> -</tr>
> -<tr>
> -<td><code>xperm_set</code></td>
> -<td><p>One or more extended permissions represented by numeric
> values (i.e. <code>0x8900</code> or <code>35072</code>). The usage is
> dependent on the specified <em>operation</em>.</p>
> -<p>Multiple entries consist of a space separated list enclosed in
> braces '{}'.</p>
> -<p>The complement operator '~' is used to specify all permissions
> except those explicitly listed.</p>
> -<p>The range operator '-' is used to specify all permissions within
> the <code>low – high</code> range.</p>
> -<p>An example is shown in the <a href="#ioctl-operation-
> rules"><code>ioctl</code> Operation Rules</a> section.</p></td>
> -</tr>
> -</tbody>
> -</table>
> +*rule_name*
> +
> +The applicable *allowxperm*, *dontauditxperm*, *auditallowxperm*
> +or *neverallowxperm* rule keyword.
> +
> +*source_type*
> +
> +One or more source / target *type*, *typealias* or *attribute*
> identifiers.
> +Multiple entries consist of a space separated list enclosed in
> braces \'{}\'.
> +Entries can be excluded from the list by using the negative operator
> \'-\'.
> +
> +*target_type*
> +
> +The target_type can have the *self* keyword instead of *type*,
> *typealias* or
> +*attribute* identifiers. This means that the *target_type* is the
> same as the
> +*source_type*.
> +
> +*class*
> +
> +One or more object classes. Multiple entries consist of a space
> separated list
> +enclosed in braces \'{}\'.
I've had a rethink on this and wonder if it would be clearer if the
descriptions were a bullet list:
*class*
- One or more object classes. Multiple ...
> +
> +*operation*
> +
> +A key word defining the operation to be implemented by the rule.
> Currently only
> +the *ioctl* operation is supported by the kernel policy language and
> kernel as
> +described in the [*ioctl* Operation Rules](#ioctl-operation-rules)
> section.
> +
> +*xperm_set*
> +
> +One or more extended permissions represented by numeric values (i.e.
> *0x8900*
> +or *35072*). The usage is dependent on the specified *operation*.
> Multiple
> +entries consist of a space separated list enclosed in braces \'{}\'.
> The
> +complement operator \'\~\' is used to specify all permissions except
> those
> +explicitly listed. The range operator \'-\' is used to specify all
> permissions
> +within the *low – high* range. An example is shown in the
> +[*ioctl* Operation Rules](#ioctl-operation-rules) section.
>
> **The statement is valid in:**
>
> -<table style="text-align:center">
> -<tbody>
> -<tr style="background-color:#D3D3D3;">
> -<td><strong>Monolithic Policy</strong></td>
> -<td><strong>Base Policy</strong></td>
> -<td><strong>Module Policy</strong></td>
> -</tr>
> -<tr>
> -<td>Yes</td>
> -<td>Yes</td>
> -<td>Yes</td>
> -</tr>
> -<tr style="background-color:#D3D3D3;">
> -<td><strong>Conditional Policy <code>if</code>
> Statement</strong></td>
> -<td><strong><code>optional</code> Statement</strong></td>
> -<td><strong><code>require</code> Statement</strong></td>
> -</tr>
> -<tr>
> -<td>No</td>
> -<td>No</td>
> -<td>No</td>
> -</tr>
> -</tbody>
> -</table>
> -<br>
> -
> -### `ioctl` Operation Rules
> +Policy Type
> +
> +| Monolithic Policy | Base Policy | Module
> Policy |
> +| ----------------------- | ----------------------- | --------------
> --------- |
> +| Yes | Yes |
> Yes |
> +
> +Conditional Policy Statements
> +
> +| *if* statement | *optional* Statement | *require*
> Statement |
> +| ----------------------- | ----------------------- | --------------
> --------- |
> +| No | No |
> No |
> +
> +### *ioctl* Operation Rules
>
> Use cases and implementation details for ioctl command whitelisting
> are
> described in detail at
> @@ -85,14 +78,14 @@ policy format changes shown in the example below
> with a brief overview
> the final upstream kernel patch).
>
> Ioctl calls are generally used to get or set device options. Policy
> -versions < 30 only controls whether an `ioctl` permission is
> allowed
> -or not, for example this rule allows the object class `tcp_socket`
> the
> -`ioctl` permission:
> +versions < 30 only controls whether an *ioctl* permission is
> allowed
> +or not, for example this rule allows the object class *tcp_socket*
> the
> +*ioctl* permission:
>
> `allow src_t tgt_t : tcp_socket ioctl;`
>
> From Policy version 30 it is possible to control ***ioctl**(2)*
> -'*request*' parameters provided the `ioctl` permission is also
> allowed,
> +'*request*' parameters provided the *ioctl* permission is also
> allowed,
> for example:
>
> ```
> @@ -101,14 +94,14 @@ allow src_t tgt_t : tcp_socket ioctl;
> allowxperm src_t tgt_t : tcp_socket ioctl ~0x8927;
> ```
>
> -The `allowxperm` rule states that all ioctl request parameters are
> +The *allowxperm* rule states that all ioctl request parameters are
> allowed for the source/target/class with the exception of the value
> -`0x8927` that (using *include/linux/sockios.h*) is
> **SIOCGIFHWADDR**, or
> +*0x8927* that (using *include/linux/sockios.h*) is
> **SIOCGIFHWADDR**, or
> 'get hardware address'.
>
> An example audit log entry denying an ioctl request to add a routing
> -table entry (**SIOCADDRT** - `ioctlcmd=890b`) for *goldfish_setup*
> on a
> -`udp_socket` is:
> +table entry (**SIOCADDRT** - *ioctlcmd=890b*) for *goldfish_setup*
> on a
> +*udp_socket* is:
>
> ```
> type=1400 audit(1437408413.860:6): avc: denied { ioctl } for pid=81
> @@ -121,18 +114,15 @@ Notes:
>
> 1. Important: The ioctl operation is not 'deny all' ioctl requests
> (hence whitelisting). It is targeted at the specific
> - source/target/class set of ioctl commands. As no other
> `allowxperm`
> + source/target/class set of ioctl commands. As no other
> *allowxperm*
> rules have been defined in the example, all other ioctl calls
> may
> continue to use any valid request parameters (provided there are
> - `allow` rules for the `ioctl` permission).
> + *allow* rules for the *ioctl* permission).
> 2. As the ***ioctl**(2)* function requires a file descriptor, its
> - context must match the process context otherwise the `fd { use
> }`
> + context must match the process context otherwise the *fd { use
> }*
> class/permission is required.
> 3. To deny all ioctl requests for a specific source/target/class
> the
> - `xperm_set` should be set to `0` or `0x0`.
> -
> -
> -<br>
> + *xperm_set* should be set to *0* or *0x0*.
>
> <!-- %CUTHERE% -->
>
>
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups
2020-08-04 10:31 ` [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Richard Haines
@ 2020-08-06 1:58 ` Paul Moore
0 siblings, 0 replies; 24+ messages in thread
From: Paul Moore @ 2020-08-06 1:58 UTC (permalink / raw)
To: Richard Haines; +Cc: selinux
On Tue, Aug 4, 2020 at 6:31 AM Richard Haines
<richard_c_haines@btinternet.com> wrote:
> On Mon, 2020-08-03 at 21:33 -0400, Paul Moore wrote:
> > This patchset helps to get us a little closer to finishing the work
> > of converting The SELinux Notebook to markdown. I believe this is
> > a worthwhile goal for two main reasons: it makes the raw markdown
> > much easier to read (the HTML tables are painful in source form),
> > and it makes it easier to render the markdown into different formats
> > (currently HTML and PDF).
> >
> > My original goal for this patchset was to complete the markdown
> > conversion before posting the series, but I now realize that was
> > neither a practical or good idea. While this patchset may miss my
> > original goal, I do believe it is a step forward both in terms of the
> > raw markdown and the rendered formats, and I would suggest we merge
> > these changes assuming no strong objections.
> >
> > For those who want to quickly check the markdown on GitHub or the
> > rendered HTML and PDF formats, I've included the links below:
> >
> > * https://drop.paul-moore.com/21.HGW6/SELinux_Notebook.pdf
> > * https://drop.paul-moore.com/21.HGW6/SELinux_Notebook.html
> > *
> > https://github.com/pcmoore/misc-selinux_notebook/tree/working-md_full
> >
>
> I'm okay with these changes.
>
> The changes of tables to lists in the policy rules files
> (xperms_rules.md etc.) makes the text much easier on the eye when
> reading in all formats. Splitting the policy types looks better too.
Thanks Richard.
> I think a small number of the HTML tables will be difficult to convert
> to pipe tables, also others when converted may require the HTML <br> to
> make them more readable (using <br> seems to be the only way to get
> line breaks in pipe tables). Still, see how it goes !!
>
> Acked-by: Richard Haines <richard_c_haines@btinternet.com>
Who doesn't love a good challenge :)
I went ahead and added your ACK to all the patches that weren't yours
(ACK'ing your own patch seems silly) and pushed the bunch to the repo
- thanks!
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [RFC,selinux-notebook PATCH 05/18] xperm_rules: fully convert to markdown
2020-08-04 16:14 ` Richard Haines
@ 2020-08-06 2:34 ` Paul Moore
2020-08-06 10:07 ` Richard Haines
0 siblings, 1 reply; 24+ messages in thread
From: Paul Moore @ 2020-08-06 2:34 UTC (permalink / raw)
To: Richard Haines; +Cc: selinux
On Tue, Aug 4, 2020 at 12:14 PM Richard Haines
<richard_c_haines@btinternet.com> wrote:
> On Mon, 2020-08-03 at 21:33 -0400, Paul Moore wrote:
...
> > +*rule_name*
> > +
> > +The applicable *allowxperm*, *dontauditxperm*, *auditallowxperm*
> > +or *neverallowxperm* rule keyword.
> > +
> > +*source_type*
> > +
> > +One or more source / target *type*, *typealias* or *attribute*
> > identifiers.
> > +Multiple entries consist of a space separated list enclosed in
> > braces \'{}\'.
> > +Entries can be excluded from the list by using the negative operator
> > \'-\'.
> > +
> > +*target_type*
> > +
> > +The target_type can have the *self* keyword instead of *type*,
> > *typealias* or
> > +*attribute* identifiers. This means that the *target_type* is the
> > same as the
> > +*source_type*.
> > +
> > +*class*
> > +
> > +One or more object classes. Multiple entries consist of a space
> > separated list
> > +enclosed in braces \'{}\'.
>
> I've had a rethink on this and wonder if it would be clearer if the
> descriptions were a bullet list:
>
> *class*
>
> - One or more object classes. Multiple ...
Ooops. I forgot about this comment in my inbox when I merged the
patchset; although I guess even if we go with the bulleted list having
the table in markdown first should make this easier.
I guess we could give it a try and see how it looks? My only concern
is that sometimes a list with only one item can look a bit "off". Or
an I misunderstanding what you are proposing?
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [RFC,selinux-notebook PATCH 05/18] xperm_rules: fully convert to markdown
2020-08-06 2:34 ` Paul Moore
@ 2020-08-06 10:07 ` Richard Haines
2020-08-06 21:49 ` Paul Moore
0 siblings, 1 reply; 24+ messages in thread
From: Richard Haines @ 2020-08-06 10:07 UTC (permalink / raw)
To: Paul Moore; +Cc: selinux
On Wed, 2020-08-05 at 22:34 -0400, Paul Moore wrote:
> On Tue, Aug 4, 2020 at 12:14 PM Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> > On Mon, 2020-08-03 at 21:33 -0400, Paul Moore wrote:
>
> ...
>
> > > +*rule_name*
> > > +
> > > +The applicable *allowxperm*, *dontauditxperm*, *auditallowxperm*
> > > +or *neverallowxperm* rule keyword.
> > > +
> > > +*source_type*
> > > +
> > > +One or more source / target *type*, *typealias* or *attribute*
> > > identifiers.
> > > +Multiple entries consist of a space separated list enclosed in
> > > braces \'{}\'.
> > > +Entries can be excluded from the list by using the negative
> > > operator
> > > \'-\'.
> > > +
> > > +*target_type*
> > > +
> > > +The target_type can have the *self* keyword instead of *type*,
> > > *typealias* or
> > > +*attribute* identifiers. This means that the *target_type* is
> > > the
> > > same as the
> > > +*source_type*.
> > > +
> > > +*class*
> > > +
> > > +One or more object classes. Multiple entries consist of a space
> > > separated list
> > > +enclosed in braces \'{}\'.
> >
> > I've had a rethink on this and wonder if it would be clearer if the
> > descriptions were a bullet list:
> >
> > *class*
> >
> > - One or more object classes. Multiple ...
>
> Ooops. I forgot about this comment in my inbox when I merged the
> patchset; although I guess even if we go with the bulleted list
> having
> the table in markdown first should make this easier.
>
> I guess we could give it a try and see how it looks? My only concern
> is that sometimes a list with only one item can look a bit "off". Or
> an I misunderstanding what you are proposing?
I've posted the SE Android section as an RFC patch that converts HTML
tables to lists. See what you think.
I sent the Reference Policy updates yesterday but it never made it to
the list as I didn't realise it was over 100K, still I guess you had
your copy.
>
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [RFC,selinux-notebook PATCH 05/18] xperm_rules: fully convert to markdown
2020-08-06 10:07 ` Richard Haines
@ 2020-08-06 21:49 ` Paul Moore
0 siblings, 0 replies; 24+ messages in thread
From: Paul Moore @ 2020-08-06 21:49 UTC (permalink / raw)
To: Richard Haines; +Cc: selinux
On Thu, Aug 6, 2020 at 6:07 AM Richard Haines
<richard_c_haines@btinternet.com> wrote:
> On Wed, 2020-08-05 at 22:34 -0400, Paul Moore wrote:
> > On Tue, Aug 4, 2020 at 12:14 PM Richard Haines
> > <richard_c_haines@btinternet.com> wrote:
> > > On Mon, 2020-08-03 at 21:33 -0400, Paul Moore wrote:
> >
> > ...
> >
> > > > +*rule_name*
> > > > +
> > > > +The applicable *allowxperm*, *dontauditxperm*, *auditallowxperm*
> > > > +or *neverallowxperm* rule keyword.
> > > > +
> > > > +*source_type*
> > > > +
> > > > +One or more source / target *type*, *typealias* or *attribute*
> > > > identifiers.
> > > > +Multiple entries consist of a space separated list enclosed in
> > > > braces \'{}\'.
> > > > +Entries can be excluded from the list by using the negative
> > > > operator
> > > > \'-\'.
> > > > +
> > > > +*target_type*
> > > > +
> > > > +The target_type can have the *self* keyword instead of *type*,
> > > > *typealias* or
> > > > +*attribute* identifiers. This means that the *target_type* is
> > > > the
> > > > same as the
> > > > +*source_type*.
> > > > +
> > > > +*class*
> > > > +
> > > > +One or more object classes. Multiple entries consist of a space
> > > > separated list
> > > > +enclosed in braces \'{}\'.
> > >
> > > I've had a rethink on this and wonder if it would be clearer if the
> > > descriptions were a bullet list:
> > >
> > > *class*
> > >
> > > - One or more object classes. Multiple ...
> >
> > Ooops. I forgot about this comment in my inbox when I merged the
> > patchset; although I guess even if we go with the bulleted list
> > having
> > the table in markdown first should make this easier.
> >
> > I guess we could give it a try and see how it looks? My only concern
> > is that sometimes a list with only one item can look a bit "off". Or
> > an I misunderstanding what you are proposing?
>
> I've posted the SE Android section as an RFC patch that converts HTML
> tables to lists. See what you think.
Okay, I'll take a look. I'm inclined to merge it regardless just
because it does the HTML->MD conversion. Once we get it fully into
markdown, especially the tables, it should be easier to edit for
consistency, style, etc.
> I sent the Reference Policy updates yesterday but it never made it to
> the list as I didn't realise it was over 100K, still I guess you had
> your copy.
Yes, I just ran out of energy last night when I was working my way
through the other patches. Hopefully I'll get through the rest
today/tomorrow.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2020-08-06 21:49 UTC | newest]
Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-04 1:33 [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Paul Moore
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 01/18] build: explicitly enable pandoc pipe_tables Paul Moore
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 02/18] css: identify table layout hacks Paul Moore
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 03/18] css: style improvements Paul Moore
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 04/18] x_windows: fully convert to markdown Paul Moore
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 05/18] xperm_rules: " Paul Moore
2020-08-04 16:14 ` Richard Haines
2020-08-06 2:34 ` Paul Moore
2020-08-06 10:07 ` Richard Haines
2020-08-06 21:49 ` Paul Moore
2020-08-04 1:33 ` [RFC,selinux-notebook PATCH 06/18] xen_statements: " Paul Moore
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 07/18] vm_support: " Paul Moore
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 08/18] user_statements: " Paul Moore
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 09/18] userspace_libraries: " Paul Moore
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 10/18] type_statements: " Paul Moore
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 11/18] postgresql: update PostgreSQL SELinux Support section Paul Moore
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 12/18] all: remove all the <br> tags we haven't gotten to yet Paul Moore
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 13/18] all: unify example formatting (scripts, code, policy, etc) in markdown Paul Moore
2020-08-04 1:34 ` [RFC,selinux-notebook PATCH 15/18] all: consolidate multiple blank lines into one Paul Moore
2020-08-04 1:35 ` [RFC,selinux-notebook PATCH 16/18] kernel_policy_language: convert the footnotes to markdown Paul Moore
2020-08-04 1:35 ` [RFC,selinux-notebook PATCH 17/18] title: assorted updates Paul Moore
2020-08-04 1:35 ` [RFC,selinux-notebook PATCH 18/18] x_windows: don't call table 12 a table Paul Moore
2020-08-04 10:31 ` [RFC,selinux-notebook PATCH 00/18] markdown conversions and cleanups Richard Haines
2020-08-06 1:58 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.