[PATCH 1/5] policycoreutils: Add examples to man pages

[PATCH 1/5] policycoreutils: Add examples to man pages

[Vit Mojzis]

While at it, remove trailing whitespaces.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 policycoreutils/scripts/fixfiles.8          | 35 +++++++++++++--------
 policycoreutils/secon/secon.1               | 12 +++++--
 policycoreutils/semodule/semodule.8         | 14 ++++-----
 policycoreutils/setfiles/restorecon.8       |  9 ++++++
 policycoreutils/setfiles/restorecon_xattr.8 |  7 +++++
 policycoreutils/setfiles/setfiles.8         |  9 ++++++
 policycoreutils/setsebool/setsebool.8       | 16 +++++++---
 7 files changed, 75 insertions(+), 27 deletions(-)

diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index 9a317d91..2365df19 100644
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@@ -14,7 +14,7 @@ fixfiles \- fix file SELinux security contexts.
 .B fixfiles
 .I [\-v] [\-F] [\-B | \-N time ] [\-T nthreads] { check | restore | verify }
 
-.B fixfiles 
+.B fixfiles
 .I [\-v] [\-F] [\-T nthreads] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify }
 
 .B fixfiles
@@ -31,7 +31,7 @@ This manual page describes the
 script.
 .P
 This script is primarily used to correct the security context
-database (extended attributes) on filesystems.  
+database (extended attributes) on filesystems.
 .P
 It can also be run at any time to relabel when adding support for
 new policy, or  just check whether the file contexts are all
@@ -41,29 +41,29 @@ option.  You can use the \-R flag to use rpmpackages as an alternative.
 The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
 excluded from relabeling.
 .P
-.B fixfiles onboot 
+.B fixfiles onboot
 will setup the machine to relabel on the next reboot.
 
 .SH "OPTIONS"
-.TP 
+.TP
 .B \-B
 If specified with onboot, this fixfiles will record the current date in the /.autorelabel file, so that it can be used later to speed up labeling. If used with restore, the restore will only affect files that were modified today.
 .TP
 .B \-F
 Force reset of context to match file_context for customizable files
 
-.TP 
+.TP
 .B \-f
 Clear /tmp directory with out prompt for removal.
 
-.TP 
+.TP
 .B \-R rpmpackagename[,rpmpackagename...]
 Use the rpm database to discover all files within the specified packages and restore the file contexts.
 .TP
 .B \-C PREVIOUS_FILECONTEXT
 Run a diff on  the PREVIOUS_FILECONTEXT file to the currently installed one, and restore the context of all affected files.
 
-.TP 
+.TP
 .B \-N time
 Only act on files created after the specified date.  Date must be specified in
 "YYYY\-MM\-DD HH:MM" format.  Date field will be passed to find \-\-newermt command.
@@ -83,19 +83,29 @@ Use parallel relabeling, see
 
 .SH "ARGUMENTS"
 One of:
-.TP 
+.TP
 .B check | verify
 print any incorrect file context labels, showing old and new context, but do not change them.
-.TP 
+.TP
 .B restore
 change any incorrect file context labels.
-.TP 
+.TP
 .B relabel
 Prompt for removal of contents of /tmp directory and then change any incorrect file context labels to match the install file_contexts file.
-.TP 
-.B [[dir/file] ... ] 
+.TP
+.B [[dir/file] ... ]
 List of files or directories trees that you wish to check file context on.
 
+.SH EXAMPLE
+.nf
+Clear /tmp and relabel the whole filesystem, forcing relabeling of customizable types.
+Note that all paths listed in /etc/selinux/fixfiles_exclude_dirs will be ignored
+# fixfiles -f -F relabel
+Schedule the machine to relabel on the next boot
+# fixfiles onboot
+Check labeling of all files from the samba package (while not changing any labels)
+# fixfiles -R samba check
+
 .SH "AUTHOR"
 This man page was written by Richard Hally <rhally@mindspring.com>.
 The script  was written by Dan Walsh <dwalsh@redhat.com>
@@ -103,4 +113,3 @@ The script  was written by Dan Walsh <dwalsh@redhat.com>
 .SH "SEE ALSO"
 .BR setfiles (8),
 .BR restorecon (8)
-
diff --git a/policycoreutils/secon/secon.1 b/policycoreutils/secon/secon.1
index 501b5cb8..c0e8b05a 100644
--- a/policycoreutils/secon/secon.1
+++ b/policycoreutils/secon/secon.1
@@ -107,16 +107,24 @@ then the context will be read from stdin.
 .br
 If there is no argument,
 .B secon
-will try reading a context from stdin, if that is not a tty, otherwise 
+will try reading a context from stdin, if that is not a tty, otherwise
 .B secon
 will act as though \fB\-\-self\fR had been passed.
 .PP
 If none of \fB\-\-user\fR, \fB\-\-role\fR, \fB\-\-type\fR, \fB\-\-level\fR or
 \fB\-\-mls\-range\fR is passed.
 Then all of them will be output.
+
+.SH EXAMPLE
+.nf
+Show SElinux context of the init process
+# secon --pid 1
+Parse the type portion of given security context
+# secon -t system_u:object_r:httpd_sys_rw_content_t:s0
+
 .PP
 .SH SEE ALSO
 .BR chcon (1)
 .SH AUTHORS
 .nf
-James Antill (james.antill@redhat.com) 
+James Antill (james.antill@redhat.com)
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index c56e580f..01757b00 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -1,5 +1,5 @@
 .TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA
-.SH NAME 
+.SH NAME
 semodule \- Manage SELinux policy modules.
 
 .SH SYNOPSIS
@@ -8,7 +8,7 @@ semodule \- Manage SELinux policy modules.
 .SH DESCRIPTION
 .PP
 semodule is the tool used to manage SELinux policy modules,
-including installing, upgrading, listing and removing modules.  
+including installing, upgrading, listing and removing modules.
 semodule may also be used to force a rebuild of policy from the
 module store and/or to force a reload of policy without performing
 any other transaction.  semodule acts on module packages created
@@ -39,7 +39,7 @@ install/replace a module package
 .B  \-u,\-\-upgrade=MODULE_PKG
 deprecated, alias for --install
 .TP
-.B  \-b,\-\-base=MODULE_PKG   
+.B  \-b,\-\-base=MODULE_PKG
 deprecated, alias for --install
 .TP
 .B  \-r,\-\-remove=MODULE_NAME
@@ -77,7 +77,7 @@ name of the store to operate on
 .B  \-n,\-\-noreload,\-N
 do not reload policy after commit
 .TP
-.B  \-h,\-\-help        
+.B  \-h,\-\-help
 prints help message and quit
 .TP
 .B \-P,\-\-preserve_tunables
@@ -92,7 +92,7 @@ Use an alternate path for the policy root
 .B \-S,\-\-store-path
 Use an alternate path for the policy store root
 .TP
-.B  \-v,\-\-verbose     
+.B  \-v,\-\-verbose
 be verbose
 .TP
 .B  \-c,\-\-cil
@@ -131,8 +131,6 @@ $ semodule \-B
 $ semodule \-d alsa
 # Install a module at a specific priority.
 $ semodule \-X 100 \-i alsa.pp
-# List all modules.
-$ semodule \-\-list=full
 # Set an alternate path for the policy root
 $ semodule \-B \-p "/tmp"
 # Set an alternate path for the policy store root
@@ -143,6 +141,8 @@ $ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
 # Check whether a module in "localmodule.pp" file is same as installed module "localmodule"
 $ /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
 $ semodule -l -m | grep localmodule
+# Translate binary module file into CIL (useful for debugging installation errors)
+$ /usr/libexec/selinux/hll/pp alsa.pp > alsa.cil
 .fi
 
 .SH SEE ALSO
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index e07db2c8..c3cc5c9b 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -224,6 +224,15 @@ and provided the
 option is NOT set and recursive mode is set, files will be relabeled as
 required with the digests then being updated provided there are no errors.
 
+.SH EXAMPLE
+.nf
+Fix labeling of /var/www/ including all sub-directories and list all context changes
+# restorecon -rv /var/www/
+List mislabeled files in user home directory and what the correct label should be
+# restorecon -nvr ~
+Fix labeling of files listed in file_list file, ignoring any that do not exist
+# restorecon -vif file_list
+
 .SH "AUTHOR"
 This man page was written by Dan Walsh <dwalsh@redhat.com>.
 Some of the content of this man page was taken from the setfiles
diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8
index e04528e6..51d12a4d 100644
--- a/policycoreutils/setfiles/restorecon_xattr.8
+++ b/policycoreutils/setfiles/restorecon_xattr.8
@@ -112,6 +112,13 @@ If the option is not specified, then the default file_contexts will be used.
 .br
 the pathname of the directory tree to be searched.
 
+.SH EXAMPLE
+.nf
+List all paths that where assigned a checksum by "restorecon/setfiles -D"
+# restorecon_xattr -r /
+Remove all non-matching checksums
+# restorecon_xattr -rd /
+
 .SH "SEE ALSO"
 .BR restorecon (8),
 .BR setfiles (8)
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index bf26e161..892a5062 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -289,6 +289,15 @@ and provided the
 option is NOT set, files will be relabeled as required with the digests then
 being updated provided there are no errors.
 
+.SH EXAMPLE
+.nf
+Fix labeling of /var/www/ including all sub-directories, using targeted policy file context definitions and list all context changes
+# setfiles -v /etc/selinux/targeted/contexts/files/file_contexts /var/www/
+List mislabeled files in user home directory and what the label should be based on targeted policy file context definitions
+# setfiles -nv /etc/selinux/targeted/contexts/files/file_contexts ~
+Fix labeling of files listed in file_list file, ignoring any that do not exist
+# setfiles -vif file_list /etc/selinux/targeted/contexts/files/file_contexts
+
 .SH "AUTHOR"
 This man page was written by Russell Coker <russell@coker.com.au>.
 The program was written by Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/policycoreutils/setsebool/setsebool.8 b/policycoreutils/setsebool/setsebool.8
index 52936f5a..f54664fb 100644
--- a/policycoreutils/setsebool/setsebool.8
+++ b/policycoreutils/setsebool/setsebool.8
@@ -7,13 +7,13 @@ setsebool \- set SELinux boolean value
 .I "[ \-PNV ] boolean value | bool1=val1 bool2=val2 ..."
 
 .SH "DESCRIPTION"
-.B setsebool 
-sets the current state of a particular SELinux boolean or a list of booleans 
-to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it. 
+.B setsebool
+sets the current state of a particular SELinux boolean or a list of booleans
+to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it.
 
 Without the \-P option, only the current boolean value is
-affected; the boot-time default settings 
-are not changed. 
+affected; the boot-time default settings
+are not changed.
 
 If the \-P option is given, all pending values are written to
 the policy file on disk. So they will be persistent across reboots.
@@ -22,6 +22,12 @@ If the \-N option is given, the policy on disk is not reloaded into the kernel.
 
 If the \-V option is given, verbose error messages will be printed from semanage libraries.
 
+.SH EXAMPLE
+.nf
+Enable container_use_devices boolean (will return to persistent value after reboot)
+# setsebool container_use_devices 1
+Persistently enable samba_create_home_dirs and samba_enable_home_dirs booleans
+# setsebool -P samba_create_home_dirs=on samba_enable_home_dirs=on
 
 .SH AUTHOR
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-- 
2.40.0

[PATCH 2/5] python/sepolicy: Improve man pages

[Vit Mojzis]

- Add missing options
- Add examples
- Emphasize keywords
- Remove trailing whitespaces

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 python/sepolicy/sepolicy-booleans.8    | 15 +++++++++++---
 python/sepolicy/sepolicy-communicate.8 | 14 ++++++++++---
 python/sepolicy/sepolicy-generate.8    | 28 ++++++++++++--------------
 python/sepolicy/sepolicy-gui.8         |  4 ++--
 python/sepolicy/sepolicy-interface.8   | 18 ++++++++++++++---
 python/sepolicy/sepolicy-manpage.8     | 25 +++++++++++++++++------
 python/sepolicy/sepolicy-network.8     | 17 ++++++++--------
 python/sepolicy/sepolicy-transition.8  | 19 +++++++++++------
 8 files changed, 93 insertions(+), 47 deletions(-)

diff --git a/python/sepolicy/sepolicy-booleans.8 b/python/sepolicy/sepolicy-booleans.8
index f8d8b56d..7f4b18e7 100644
--- a/python/sepolicy/sepolicy-booleans.8
+++ b/python/sepolicy/sepolicy-booleans.8
@@ -8,12 +8,16 @@ sepolicy-booleans \- Query SELinux Policy to see description of booleans
 .B sepolicy booleans [\-h] [ \-a | \-b booleanname ... ]
 
 .SH "DESCRIPTION"
-sepolicy booleans will show all booleans and their descriptions, or you can 
-choose individual booleans to display
+.B sepolicy booleans
+will show all booleans and their descriptions, or you can
+choose individual booleans to display.
+Please make sure that selinux-policy-devel is present in your system since it contains boolean descriptions extracted from the policy source code. Otherwise
+.B sepolicy booleans
+will only show descriptions generated based on boolean names.
 
 .SH "OPTIONS"
 .TP
-.I                \-h, \-\-help       
+.I                \-h, \-\-help
 Display help message
 .TP
 .I                \-a, \-\-all
@@ -22,6 +26,11 @@ Display all boolean descriptions
 .I                \-b, \-\-boolean
 boolean to get description
 
+.SH EXAMPLE
+.nf
+List descriptions of samba_create_home_dirs and samba_enable_home_dirs booleans
+# sepolicy booleans -b samba_create_home_dirs samba_enable_home_dirs
+
 .SH "AUTHOR"
 This man page was written by Daniel Walsh <dwalsh@redhat.com>
 
diff --git a/python/sepolicy/sepolicy-communicate.8 b/python/sepolicy/sepolicy-communicate.8
index 050aa475..5ecf6eff 100644
--- a/python/sepolicy/sepolicy-communicate.8
+++ b/python/sepolicy/sepolicy-communicate.8
@@ -8,7 +8,9 @@ sepolicy-communicate \- Generate a report showing if two SELinux Policy Domains
 .B sepolicy communicate [\-h] \-s SOURCE \-t TARGET [\-c TCLASS] [\-S SOURCEACCESS] [\-T TARGETACCESS]
 
 .SH "DESCRIPTION"
-Use sepolicy communicate to examine SELinux Policy to if a source SELinux Domain can communicate with a target SELinux Domain.
+Use
+.B sepolicy communicate
+to examine SELinux Policy and determine if a source SELinux Domain can communicate with a target SELinux Domain.
 The default command looks to see if there are any file types that the source domain can write, which the target domain can read.
 
 .SH "OPTIONS"
@@ -16,7 +18,7 @@ The default command looks to see if there are any file types that the source dom
 .I                \-c, \-\-class
 Specify the SELinux class which the source domain will attempt to communicate with the target domain.  (Default file)
 .TP
-.I                \-h, \-\-help       
+.I                \-h, \-\-help
 Display help message
 .TP
 .I                \-s, \-\-source
@@ -31,9 +33,15 @@ Specify the target SELinux domain type.
 .I                \-T, \-\-targetaccess
 Specify the list of accesses used by the target SELinux domain type to receive communications from the source domain. Default Open, Read.
 
+.SH EXAMPLE
+.nf
+List types that can be used to communicate between samba daemon and apache server
+# sepolicy communicate -s httpd_t -t smbd_t
+Consider a type to be accessible by the source domain when it can be opened and appended to (as opposed to opened and written to)
+# sepolicy communicate -s httpd_t -t smbd_t -S open,append
+
 .SH "AUTHOR"
 This man page was written by Daniel Walsh <dwalsh@redhat.com>
 
 .SH "SEE ALSO"
 sepolicy(8), selinux(8)
-
diff --git a/python/sepolicy/sepolicy-generate.8 b/python/sepolicy/sepolicy-generate.8
index 0c5f998f..d5dd6442 100644
--- a/python/sepolicy/sepolicy-generate.8
+++ b/python/sepolicy/sepolicy-generate.8
@@ -57,32 +57,29 @@ path. \fBsepolicy generate\fP will use the rpm payload of the
 application along with \fBnm \-D APPLICATION\fP to help it generate
 types and policy rules for your policy files.
 
-.B Type Enforcing File NAME.te
+.B Type Enforcement File NAME.te
 .br
-This file can be used to define all the types rules for a particular domain.
+This file can be used to define all the types enforcement rules for a particular domain.
 
 .I Note:
-Policy generated by \fBsepolicy generate\fP will automatically add a permissive DOMAIN to your te file.  When you are satisfied that your policy works, you need to remove the permissive line from the te file to run your domain in enforcing mode.
+Policy generated by \fBsepolicy generate\fP will automatically add a \fIpermissive DOMAIN\fP to your \fB.te\fP file. When you are satisfied that your policy works, you need to remove the permissive line from the \fB.te\fP file to run your domain in enforcing mode.
 
 .B Interface File NAME.if
 .br
-This file defines the interfaces for the types generated in the te file, which can be used by other policy domains.
+This file defines the interfaces for the types generated in the \fB.te\fP file, which can be used by other policy domains.
 
-.B File Context NAME.fc
+.B File Context File NAME.fc
 .br
-This file defines the default file context for the system, it takes the file types created in the te file and associates
+This file defines the default file context for the system, it takes the file types created in the \fB.te\fP file and associates
 file paths to the types.  Tools like restorecon and RPM will use these paths to put down labels.
 
 .B RPM Spec File NAME_selinux.spec
 .br
-This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy.  You can use \fBsepolicy manpage \-d NAME\fP to generate the man page.
+This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use \fBsepolicy manpage \-d NAME\fP to generate the man page.
 
 .B Shell File NAME.sh
 .br
-This is a helper shell script to compile, install and fix the labeling on your test system.  It will also generate a man page based on the installed policy, and
-compile and build an RPM suitable to be installed on other machines
-
-If a generate is possible, this tool will print out all generate paths from the source domain to the target domain
+This is a helper shell script to compile, install and fix the labeling on your test system. It will also generate a man page based on the installed policy, and compile and build an RPM suitable to be installed on other machines.
 
 .SH "OPTIONS"
 .TP
@@ -97,10 +94,11 @@ Specify alternate name of policy. The policy will default to the executable or n
 .TP
 .I                \-p, \-\-path
 Specify the directory to store the created policy files. (Default to current working directory )
+.TP
 optional arguments:
 .TP
 .I                \-r, \-\-role
-Enter role(s) to which this admin user will transition.
+Enter role(s) to which this admin user will transition
 .TP
 .I                \-t, \-\-type
 Enter type(s) for which you will generate new definition and rule(s)
@@ -109,12 +107,12 @@ Enter type(s) for which you will generate new definition and rule(s)
 SELinux user(s) which will transition to this domain
 .TP
 .I                \-w, \-\-writepath
-Path(s) which the confined processes need to write
+Path(s) which the confined processes need to write to
 .TP
 .I                \-a, \-\-admin
 Domain(s) which the confined admin will administrate
 .TP
-.I  \-\-admin_user 
+.I  \-\-admin_user
 Generate Policy for Administrator Login User Role
 .TP
 .I  \-\-application
@@ -142,7 +140,7 @@ Generate Policy for Internet Services Daemon
 Generate Policy for Standard Init Daemon (Default)
 .TP
 .I  \-\-newtype
-Generate new policy for new types to add to an existing policy.
+Generate new policy for new types to add to an existing policy
 .TP
 .I  \-\-sandbox
 Generate Policy for Sandbox
diff --git a/python/sepolicy/sepolicy-gui.8 b/python/sepolicy/sepolicy-gui.8
index ed744cdb..65b69fab 100644
--- a/python/sepolicy/sepolicy-gui.8
+++ b/python/sepolicy/sepolicy-gui.8
@@ -11,7 +11,7 @@ Common options
 .br
 
 .SH "DESCRIPTION"
-Use \fBsepolicy gui\fP to run a the graphical user interface, which
+Use \fBsepolicy gui\fP to run the graphical user interface, which
 allows you to explore how SELinux confines different process domains.
 
 .SH "OPTIONS"
@@ -20,7 +20,7 @@ allows you to explore how SELinux confines different process domains.
 Display help message
 .TP
 .I                \-d, \-\-domain
-Initialize gui to the selected domain.
+Initialize gui to the selected domain
 
 .SH "AUTHOR"
 This man page was written by Daniel Walsh <dwalsh@redhat.com>
diff --git a/python/sepolicy/sepolicy-interface.8 b/python/sepolicy/sepolicy-interface.8
index 3e74ea62..a70a9306 100644
--- a/python/sepolicy/sepolicy-interface.8
+++ b/python/sepolicy/sepolicy-interface.8
@@ -5,10 +5,10 @@ sepolicy-interface \- Print interface information based on the installed SELinux
 .SH "SYNOPSIS"
 
 .br
-.B sepolicy interface  [\-h] [\-c] [\-v] [\-a | \-u | \-l | \-i INTERFACE [INTERFACE ... ]]
+.B sepolicy interface  [\-h] [\-c] [\-v] [\-f FILE] [\-a | \-u | \-l | \-i INTERFACE [INTERFACE ... ]]
 
 .SH "DESCRIPTION"
-Use sepolicy interface to print interfaces information based on SELinux Policy.
+Use \fBsepolicy interface\fP to print interface information based on SELinux Policy.
 
 .SH "OPTIONS"
 .TP
@@ -18,7 +18,7 @@ List all domains with admin interface
 .I                \-c, \-\-compile
 Test compile of interfaces
 .TP
-.I                \-h, \-\-help       
+.I                \-h, \-\-help
 Display help message
 .TP
 .I                \-i, \-\-interface
@@ -32,6 +32,18 @@ List all domains with SELinux user role interface
 .TP
 .I                \-v, \-\-verbose
 Display extended information about the interface including parameters and description if available.
+.TP
+.I                \-f, \-\-file
+Interface file to be explored
+
+.SH EXAMPLE
+.nf
+Show description of given interface
+# sepolicy interface -vi samba_rw_config
+List interfaces in given interface file and show their description
+# sepolicy interface -f my_policy.if -lv
+Run compile test for all interfaces in given file
+# sepolicy interface -f my_policy.if -lc
 
 .SH "AUTHOR"
 This man page was written by Daniel Walsh <dwalsh@redhat.com>
diff --git a/python/sepolicy/sepolicy-manpage.8 b/python/sepolicy/sepolicy-manpage.8
index c05c9430..4991f645 100644
--- a/python/sepolicy/sepolicy-manpage.8
+++ b/python/sepolicy/sepolicy-manpage.8
@@ -8,27 +8,40 @@ sepolicy-manpage \- Generate a man page based on the installed SELinux Policy
 .B sepolicy manpage [\-w] [\-h] [\-p PATH ] [\-r ROOTDIR ] [\-a | \-d ]
 
 .SH "DESCRIPTION"
-Use sepolicy manpage to generate manpages based on SELinux Policy.
+Use \fBsepolicy manpage\fP to generate manpages based on SELinux Policy.
 
 .SH "OPTIONS"
 .TP
-.I                \-a, \-\-all        
+.I                \-a, \-\-all
 Generate Man Pages for All Domains
 .TP
-.I                \-d, \-\-domain     
+.I                \-d, \-\-domain
 Generate a Man Page for the specified domain. (Supports multiple commands)
 .TP
-.I                \-h, \-\-help       
+.I                \-h, \-\-help
 Display help message
 .TP
+.I                \-o, \-\-os
+Specify the name of the OS to be used in the man page (only affects HTML man pages)
+.TP
 .I                \-p, \-\-path
 Specify the directory to store the created man pages. (Default to /tmp)
 .TP
 .I                \-r, \-\-root
-Specify alternate root directory to generate man pages from. (Default to /)
+Specify alternative root directory to generate man pages from. (Default to /)
+.TP
+.I                \-\-source_files
+Use file_contexts and policy.xml files from the specified root directory (the alternative root needs to include both files)
 .TP
 .I                \-w, \-\-web
-Generate an additional HTML man pages for the specified domain(s).
+Generate an additional HTML man pages for the specified domain(s)
+
+.SH EXAMPLE
+.nf
+Generate man pages for all available domains
+# sepolicy manpage -a
+Generate an HTML man page for domain alsa_t, setting the OS name to "My_distro"
+# sepolicy manpage -o My_distro -d alsa_t -w
 
 .SH "AUTHOR"
 This man page was written by Daniel Walsh <dwalsh@redhat.com>
diff --git a/python/sepolicy/sepolicy-network.8 b/python/sepolicy/sepolicy-network.8
index dcddec75..6faf60ab 100644
--- a/python/sepolicy/sepolicy-network.8
+++ b/python/sepolicy/sepolicy-network.8
@@ -8,27 +8,27 @@ sepolicy-network \- Examine the SELinux Policy and generate a network report
 .B sepolicy network [\-h] (\-l | \-a application [application ...] | \-p PORT [PORT ...] | \-t TYPE [TYPE ...] | \-d DOMAIN [DOMAIN ...])
 
 .SH "DESCRIPTION"
-Use sepolicy network to examine SELinux Policy and generate network reports.
+Use \fBsepolicy network\fP to examine SELinux Policy and generate network reports.
 
 .SH "OPTIONS"
 .TP
 .I                \-a, \-\-application
-Generate a report listing the ports to which the specified init application is allowed to connect and or bind.
+Generate a report listing the ports to which the specified init application is allowed to connect and or bind
 .TP
-.I                \-d, \-\-domain     
-Generate a report listing the ports to which the specified domain is allowed to connect and or bind.
+.I                \-d, \-\-domain
+Generate a report listing the ports to which the specified domain is allowed to connect and or bind
 .TP
-.I                \-l, \-\-list        
+.I                \-l, \-\-list
 List all Network Port Types defined in SELinux Policy
 .TP
-.I                \-h, \-\-help       
+.I                \-h, \-\-help
 Display help message
 .TP
 .I                \-t, \-\-type
-Generate a report listing the port numbers associate with the specified SELinux port type.
+Generate a report listing the port numbers associate with the specified SELinux port type
 .TP
 .I                \-p, \-\-port
-Generate a report listing the SELinux port types associate with the specified port number.
+Generate a report listing the SELinux port types associate with the specified port number
 
 .SH "EXAMPLES"
 
@@ -88,4 +88,3 @@ This man page was written by Daniel Walsh <dwalsh@redhat.com>
 
 .SH "SEE ALSO"
 sepolicy(8), selinux(8), semanage(8)
-
diff --git a/python/sepolicy/sepolicy-transition.8 b/python/sepolicy/sepolicy-transition.8
index 897f0c4c..9f9ff5a5 100644
--- a/python/sepolicy/sepolicy-transition.8
+++ b/python/sepolicy/sepolicy-transition.8
@@ -11,21 +11,28 @@ sepolicy-transition \- Examine the SELinux Policy and generate a process transit
 .B sepolicy transition [\-h] \-s SOURCE \-t TARGET
 
 .SH "DESCRIPTION"
-sepolicy transition will show all domains that a give SELinux source domain can transition to, including the entrypoint.
+\fBsepolicy transition\fP will show all domains that a given SELinux source domain can transition to, including the entrypoint.
 
-If a target domain is given, sepolicy transition will examine policy for all transition paths from the source domain to the target domain, and will list the 
-paths.  If a transition is possible, this tool will print out all transition paths from the source domain to the target domain
+If a target domain is given, sepolicy transition will examine policy for all transition paths from the source domain to the target domain, and will list the
+paths.
 
 .SH "OPTIONS"
 .TP
-.I                \-h, \-\-help       
+.I                \-h, \-\-help
 Display help message
 .TP
 .I                \-s, \-\-source
-Specify the source SELinux domain type.
+Specify the source SELinux domain type
 .TP
 .I                \-t, \-\-target
-Specify the target SELinux domain type.
+Specify the target SELinux domain type
+
+.SH EXAMPLE
+.nf
+List all domain transition paths from init_t to httpd_t
+# sepolicy transition -s init_t -t httpd_t
+List all transitions available from samba domain, including entry points and booleans controlling each transition
+# sepolicy transition -s smbd_t
 
 .SH "AUTHOR"
 This man page was written by Daniel Walsh <dwalsh@redhat.com>
-- 
2.40.0

[PATCH 3/5] sandbox: Add examples to man pages

[Vit Mojzis]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=y, Size: 5380 bytes --]

While at it, remove trailing whitespaces.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 sandbox/sandbox.8   | 28 ++++++++++++++++++----------
 sandbox/seunshare.8 | 21 ++++++++++++++-------
 2 files changed, 32 insertions(+), 17 deletions(-)

diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8
index 1ee0ecea..095b9e27 100644
--- a/sandbox/sandbox.8
+++ b/sandbox/sandbox.8
@@ -11,12 +11,12 @@ sandbox \- Run cmd under an SELinux sandbox
 .br
 .SH DESCRIPTION
 .PP
-Run the 
-.I cmd 
+Run the
+.I cmd
 application within a tightly confined SELinux domain.  The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed to open any other files.  The \-M option will mount an alternate homedir and tmpdir to be used by the sandbox.
 
-If you have the 
-.I policycoreutils-sandbox 
+If you have the
+.I policycoreutils-sandbox
 package installed, you can use the \-X option and the \-M option.
 .B sandbox \-X
 allows you to run X applications within a sandbox.  These applications will start up their own X Server and create a temporary home directory and /tmp.  The default SELinux policy does not allow any capabilities or network access.  It also prevents all access to the users other processes and files.  Files specified on the command that are in the home directory or /tmp will be copied into the sandbox directories.
@@ -78,27 +78,35 @@ Run a full desktop session, Requires level, and home and tmpdir.
 Specifies the windowsize when creating an X based Sandbox. The default windowsize is 1000x700.
 .TP
 \fB\-W\fR \fB\-\-windowmanager\fR
-Select alternative window manager to run within 
+Select alternative window manager to run within
 .B sandbox \-X.
 Default to /usr/bin/openbox.
 .TP
-\fB\-X\fR 
+\fB\-X\fR
 Create an X based Sandbox for gui apps, temporary files for
 $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
 .TP
 \fB\-d\fR \fB\-\-dpi\fR
 Set the DPI value for the sandbox X Server. Defaults to the current X Sever DPI.
 .TP
-\fB\-C\fR \fB\-\-capabilities\fR Use capabilities within the
-sandbox. By default applications executed within the sandbox will not
-be allowed to use capabilities (setuid apps), with the \-C flag, you
-can use programs requiring capabilities.
+\fB\-C\fR \fB\-\-capabilities\fR
+Use capabilities within the sandbox. By default applications executed within the sandbox will not be allowed to use capabilities (setuid apps), with the \-C flag, you can use programs requiring capabilities.
 .PP
 .SH "SEE ALSO"
 .TP
 runcon(1), seunshare(8), selinux(8)
 .PP
 
+.SH EXAMPLE
+.nf
+Run a graphical application inside the sandbox
+# sandbox -X evince
+Run a graphical application that requires the use of network
+# sandbox ‑X ‑t sandbox_web_t firefox
+Preserve data from one session to the next
+# mkdir -p ~/sandbox/home ~/sandbox/tmp
+# sandbox -H ~/sandbox/home -T ~/sandbox/tmp -X libreoffice --writer
+
 .SH AUTHOR
 This manual page was written by
 .I Dan Walsh <dwalsh@redhat.com>
diff --git a/sandbox/seunshare.8 b/sandbox/seunshare.8
index 09cf7fea..5339a3b1 100644
--- a/sandbox/seunshare.8
+++ b/sandbox/seunshare.8
@@ -9,29 +9,36 @@ seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context
 .PP
 Run the
 .I executable
-within the specified context, using the alternate home directory and /tmp directory.  The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context.
+within the specified context, using custom home directory and /tmp directory. The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context.
 
 .TP
 \fB\-h homedir\fR
-Alternate homedir to be used by the application.  Homedir must be owned by the user.
+Alternate homedir to be used by the application. Homedir must be owned by the user
 .TP
 \fB\-t\ tmpdir
-Use alternate temporary directory to mount on /tmp.  tmpdir must be owned by the user.
+Use alternate temporary directory to mount on /tmp. tmpdir must be owned by the user
 .TP
 \fB\-r\ runuserdir
-Use alternate temporary directory to mount on XDG_RUNTIME_DIR (/run/user/$UID). runuserdir must be owned by the user.
+Use alternate temporary directory to mount on XDG_RUNTIME_DIR (/run/user/$UID). runuserdir must be owned by the user
 .TP
 \fB\-C --capabilities\fR
-Allow apps executed within the namespace to use capabilities.  Default is no capabilities.
+Allow apps executed within the namespace to use capabilities. Default is no capabilities
 .TP
 \fB\-k --kill\fR
-Kill all processes with matching MCS level.
+Kill all processes with matching MCS level
 .TP
 \fB\-Z\ context
-Use alternate SELinux context while running the executable.
+Use alternate SELinux context while running the executable
 .TP
 \fB\-v\fR
 Verbose output
+
+.SH EXAMPLE
+.nf
+Run bash with temporary /home and /tmp directory
+# USERHOMEDIR=`mktemp -d /tmp/home.XXXXXX`; USERTEMPDIR=`mktemp -d /tmp/temp.XXXXXX`
+# seunshare -v -h ${USERHOMEDIR} -t ${USERTEMPDIR} -- /bin/bash
+
 .SH "SEE ALSO"
 .TP
 runcon(1), sandbox(8), selinux(8)
-- 
2.40.0

[PATCH 4/5] checkpolicy: Add examples to man pages

[Vit Mojzis]

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 checkpolicy/checkpolicy.8 | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8
index 2984c238..aefa148c 100644
--- a/checkpolicy/checkpolicy.8
+++ b/checkpolicy/checkpolicy.8
@@ -12,8 +12,8 @@ command.
 .PP
 .B checkpolicy
 is a program that checks and compiles a SELinux security policy configuration
-into a binary representation that can be loaded into the kernel.  If no 
-input file name is specified,
+into a binary representation that can be loaded into the kernel.
+If no input file name is specified,
 .B checkpolicy
 will attempt to read from policy.conf or policy, depending on whether the \-b
 flag is specified.
@@ -64,6 +64,17 @@ Show version information.
 .B \-h,\-\-help
 Show usage information.
 
+.SH EXAMPLE
+.nf
+Generate policy.conf based on the system policy
+# checkpolicy -b -M -F /etc/selinux/targeted/policy/policy.* -o policy.conf
+Recompile system policy so that unknown permissions are denied (uses policy.conf from ^^).
+Note that binary policy extension represents its version, which is subject to change
+# checkpolicy -M -U deny -o /etc/selinux/targeted/policy/policy.33 policy.conf
+# load_policy
+Generate CIL representation of current system policy
+# checkpolicy -b -M -C /etc/selinux/targeted/policy/policy.* -o policy.out
+
 .SH "SEE ALSO"
 SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki
 
-- 
2.40.0

[PATCH 5/5] libselinux: Add examples to man pages

[Vit Mojzis]

Also fix some typos and remove trailing whitespaces.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 libselinux/man/man8/getsebool.8    | 18 +++++++++++-------
 libselinux/man/man8/matchpathcon.8 | 19 +++++++++++++------
 2 files changed, 24 insertions(+), 13 deletions(-)

diff --git a/libselinux/man/man8/getsebool.8 b/libselinux/man/man8/getsebool.8
index d70bf1e4..9e36f04f 100644
--- a/libselinux/man/man8/getsebool.8
+++ b/libselinux/man/man8/getsebool.8
@@ -1,6 +1,6 @@
 .TH "getsebool" "8" "11 Aug 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
 .SH "NAME"
-getsebool \- get SELinux boolean value(s) 
+getsebool \- get SELinux boolean value(s)
 .
 .SH "SYNOPSIS"
 .B getsebool
@@ -8,17 +8,16 @@ getsebool \- get SELinux boolean value(s)
 .RI [ boolean ]
 .
 .SH "DESCRIPTION"
-.B getsebool 
-reports where a particular SELinux boolean or
-all SELinux booleans are on or off
-In certain situations a boolean can be in one state with a pending 
-change to the other state.  getsebool will report this as a pending change.
+.B getsebool
+reports whether a particular SELinux boolean, or all SELinux booleans, are on or off.
+In certain situations a boolean can be in one state with a pending
+change to the other state. getsebool will report this as a pending change.
 The pending value indicates
 the value that will be applied upon the next boolean commit.
 
 The setting of boolean values occurs in two stages; first the pending
 value is changed, then the booleans are committed, causing their
-active values to become their pending values.  This allows a group of
+active values to become their pending values. This allows a group of
 booleans to be changed in a single transaction, by setting all of
 their pending values as desired and then committing once.
 .
@@ -27,6 +26,11 @@ their pending values as desired and then committing once.
 .B \-a
 Show all SELinux booleans.
 .
+.SH EXAMPLE
+.nf
+Show current state of httpd_can_connect_ftp
+# getsebool httpd_can_connect_ftp
+.
 .SH AUTHOR
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
 The program was written by Tresys Technology.
diff --git a/libselinux/man/man8/matchpathcon.8 b/libselinux/man/man8/matchpathcon.8
index 50c0d392..6d848f43 100644
--- a/libselinux/man/man8/matchpathcon.8
+++ b/libselinux/man/man8/matchpathcon.8
@@ -25,8 +25,8 @@ queries the system policy and outputs the default security context associated wi
 Identical paths can have different security contexts, depending on the file
 type (regular file, directory, link file, char file ...).
 
-.B matchpathcon 
-will also take the file type into consideration in determining the default security context if the file exists.  If the file does not exist, no file type matching will occur.
+.B matchpathcon
+will also take the file type into consideration in determining the default security context if the file exists. If the file does not exist, no file type matching will occur.
 .
 .SH OPTIONS
 .TP
@@ -34,19 +34,19 @@ will also take the file type into consideration in determining the default secur
 Force file type for the lookup.
 Valid types are
 .BR file ", " dir ", "pipe ", " chr_file ", " blk_file ", "
-.BR lnk_file ", " sock_file .
+.BR lnk_file ", " sock_file
 .TP
 .B \-n
-Do not display path.
+Do not display path
 .TP
 .B \-N
-Do not use translations.
+Do not use translations
 .TP
 .BI \-f " file_context_file"
 Use alternate file_context file
 .TP
 .BI \-p " prefix"
-Use prefix to speed translations
+Use prefix to speed up translations
 .TP
 .BI \-P " policy_root_path"
 Use alternate policy root path
@@ -54,6 +54,13 @@ Use alternate policy root path
 .B \-V
 Verify file context on disk matches defaults
 .
+.SH EXAMPLE
+.nf
+Show the default label of sock_file cups.sock
+# matchpathcon -m sock_file /var/run/cups/cups.sock
+Verify that /var/www/html directory is labeled correctly (the content of the folder is not checked)
+# matchpathcon -V /var/www/html
+.
 .SH AUTHOR
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
 .
-- 
2.40.0

Re: [PATCH 1/5] policycoreutils: Add examples to man pages

[Petr Lautrbach]

Vit Mojzis <vmojzis@redhat.com> writes:

> While at it, remove trailing whitespaces.
>
> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>

See my comments bellow.

> ---
>  policycoreutils/scripts/fixfiles.8          | 35 +++++++++++++--------
>  policycoreutils/secon/secon.1               | 12 +++++--
>  policycoreutils/semodule/semodule.8         | 14 ++++-----
>  policycoreutils/setfiles/restorecon.8       |  9 ++++++
>  policycoreutils/setfiles/restorecon_xattr.8 |  7 +++++
>  policycoreutils/setfiles/setfiles.8         |  9 ++++++
>  policycoreutils/setsebool/setsebool.8       | 16 +++++++---
>  7 files changed, 75 insertions(+), 27 deletions(-)
>
> diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
> index 9a317d91..2365df19 100644
> --- a/policycoreutils/scripts/fixfiles.8
> +++ b/policycoreutils/scripts/fixfiles.8
> @@ -14,7 +14,7 @@ fixfiles \- fix file SELinux security contexts.
>  .B fixfiles
>  .I [\-v] [\-F] [\-B | \-N time ] [\-T nthreads] { check | restore | verify }
>  
> -.B fixfiles 
> +.B fixfiles
>  .I [\-v] [\-F] [\-T nthreads] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify }
>  
>  .B fixfiles
> @@ -31,7 +31,7 @@ This manual page describes the
>  script.
>  .P
>  This script is primarily used to correct the security context
> -database (extended attributes) on filesystems.  
> +database (extended attributes) on filesystems.
>  .P
>  It can also be run at any time to relabel when adding support for
>  new policy, or  just check whether the file contexts are all
> @@ -41,29 +41,29 @@ option.  You can use the \-R flag to use rpmpackages as an alternative.
>  The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
>  excluded from relabeling.
>  .P
> -.B fixfiles onboot 
> +.B fixfiles onboot
>  will setup the machine to relabel on the next reboot.
>  
>  .SH "OPTIONS"
> -.TP 
> +.TP
>  .B \-B
>  If specified with onboot, this fixfiles will record the current date in the /.autorelabel file, so that it can be used later to speed up labeling. If used with restore, the restore will only affect files that were modified today.
>  .TP
>  .B \-F
>  Force reset of context to match file_context for customizable files
>  
> -.TP 
> +.TP
>  .B \-f
>  Clear /tmp directory with out prompt for removal.
>  
> -.TP 
> +.TP
>  .B \-R rpmpackagename[,rpmpackagename...]
>  Use the rpm database to discover all files within the specified packages and restore the file contexts.
>  .TP
>  .B \-C PREVIOUS_FILECONTEXT
>  Run a diff on  the PREVIOUS_FILECONTEXT file to the currently installed one, and restore the context of all affected files.
>  
> -.TP 
> +.TP
>  .B \-N time
>  Only act on files created after the specified date.  Date must be specified in
>  "YYYY\-MM\-DD HH:MM" format.  Date field will be passed to find \-\-newermt command.
> @@ -83,19 +83,29 @@ Use parallel relabeling, see
>  
>  .SH "ARGUMENTS"
>  One of:
> -.TP 
> +.TP
>  .B check | verify
>  print any incorrect file context labels, showing old and new context, but do not change them.
> -.TP 
> +.TP
>  .B restore
>  change any incorrect file context labels.
> -.TP 
> +.TP
>  .B relabel
>  Prompt for removal of contents of /tmp directory and then change any incorrect file context labels to match the install file_contexts file.
> -.TP 
> -.B [[dir/file] ... ] 
> +.TP
> +.B [[dir/file] ... ]
>  List of files or directories trees that you wish to check file context on.
>  
> +.SH EXAMPLE
> +.nf
> +Clear /tmp and relabel the whole filesystem, forcing relabeling of customizable types.
> +Note that all paths listed in /etc/selinux/fixfiles_exclude_dirs will be ignored
> +# fixfiles -f -F relabel

I think that leaning /tmp in running system could break user sessions so it's
important to note that. Or avoid -f in examples completely.

> +Schedule the machine to relabel on the next boot
> +# fixfiles onboot

I'd add (or change it) to `fixfiles -F onboot`

> +Check labeling of all files from the samba package (while not changing any labels)
> +# fixfiles -R samba check
> +
>  .SH "AUTHOR"
>  This man page was written by Richard Hally <rhally@mindspring.com>.
>  The script  was written by Dan Walsh <dwalsh@redhat.com>
> @@ -103,4 +113,3 @@ The script  was written by Dan Walsh <dwalsh@redhat.com>
>  .SH "SEE ALSO"
>  .BR setfiles (8),
>  .BR restorecon (8)
> -
> diff --git a/policycoreutils/secon/secon.1 b/policycoreutils/secon/secon.1
> index 501b5cb8..c0e8b05a 100644
> --- a/policycoreutils/secon/secon.1
> +++ b/policycoreutils/secon/secon.1
> @@ -107,16 +107,24 @@ then the context will be read from stdin.
>  .br
>  If there is no argument,
>  .B secon
> -will try reading a context from stdin, if that is not a tty, otherwise 
> +will try reading a context from stdin, if that is not a tty, otherwise
>  .B secon
>  will act as though \fB\-\-self\fR had been passed.
>  .PP
>  If none of \fB\-\-user\fR, \fB\-\-role\fR, \fB\-\-type\fR, \fB\-\-level\fR or
>  \fB\-\-mls\-range\fR is passed.
>  Then all of them will be output.
> +
> +.SH EXAMPLE
> +.nf
> +Show SElinux context of the init process
> +# secon --pid 1
> +Parse the type portion of given security context
> +# secon -t system_u:object_r:httpd_sys_rw_content_t:s0
> +
>  .PP
>  .SH SEE ALSO
>  .BR chcon (1)
>  .SH AUTHORS
>  .nf
> -James Antill (james.antill@redhat.com) 
> +James Antill (james.antill@redhat.com)
> diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
> index c56e580f..01757b00 100644
> --- a/policycoreutils/semodule/semodule.8
> +++ b/policycoreutils/semodule/semodule.8
> @@ -1,5 +1,5 @@
>  .TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA
> -.SH NAME 
> +.SH NAME
>  semodule \- Manage SELinux policy modules.
>  
>  .SH SYNOPSIS
> @@ -8,7 +8,7 @@ semodule \- Manage SELinux policy modules.
>  .SH DESCRIPTION
>  .PP
>  semodule is the tool used to manage SELinux policy modules,
> -including installing, upgrading, listing and removing modules.  
> +including installing, upgrading, listing and removing modules.
>  semodule may also be used to force a rebuild of policy from the
>  module store and/or to force a reload of policy without performing
>  any other transaction.  semodule acts on module packages created
> @@ -39,7 +39,7 @@ install/replace a module package
>  .B  \-u,\-\-upgrade=MODULE_PKG
>  deprecated, alias for --install
>  .TP
> -.B  \-b,\-\-base=MODULE_PKG   
> +.B  \-b,\-\-base=MODULE_PKG
>  deprecated, alias for --install
>  .TP
>  .B  \-r,\-\-remove=MODULE_NAME
> @@ -77,7 +77,7 @@ name of the store to operate on
>  .B  \-n,\-\-noreload,\-N
>  do not reload policy after commit
>  .TP
> -.B  \-h,\-\-help        
> +.B  \-h,\-\-help
>  prints help message and quit
>  .TP
>  .B \-P,\-\-preserve_tunables
> @@ -92,7 +92,7 @@ Use an alternate path for the policy root
>  .B \-S,\-\-store-path
>  Use an alternate path for the policy store root
>  .TP
> -.B  \-v,\-\-verbose     
> +.B  \-v,\-\-verbose
>  be verbose
>  .TP
>  .B  \-c,\-\-cil
> @@ -131,8 +131,6 @@ $ semodule \-B
>  $ semodule \-d alsa
>  # Install a module at a specific priority.
>  $ semodule \-X 100 \-i alsa.pp
> -# List all modules.
> -$ semodule \-\-list=full

Why is this removed?


>  # Set an alternate path for the policy root
>  $ semodule \-B \-p "/tmp"
>  # Set an alternate path for the policy store root
> @@ -143,6 +141,8 @@ $ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
>  # Check whether a module in "localmodule.pp" file is same as installed module "localmodule"
>  $ /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
>  $ semodule -l -m | grep localmodule
> +# Translate binary module file into CIL (useful for debugging installation errors)
> +$ /usr/libexec/selinux/hll/pp alsa.pp > alsa.cil
>  .fi

I'd put this before the check above, i.e. translate a binary first and then get checksum so that
/usr/libexec/selinux/hll/pp is used only once and it's clear what it
does.


>  .SH SEE ALSO
> diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
> index e07db2c8..c3cc5c9b 100644
> --- a/policycoreutils/setfiles/restorecon.8
> +++ b/policycoreutils/setfiles/restorecon.8
> @@ -224,6 +224,15 @@ and provided the
>  option is NOT set and recursive mode is set, files will be relabeled as
>  required with the digests then being updated provided there are no errors.
>  
> +.SH EXAMPLE
> +.nf
> +Fix labeling of /var/www/ including all sub-directories and list all context changes
> +# restorecon -rv /var/www/
> +List mislabeled files in user home directory and what the correct label should be
> +# restorecon -nvr ~
> +Fix labeling of files listed in file_list file, ignoring any that do not exist
> +# restorecon -vif file_list
> +

I personally prefer when options are not joined - restorecon -n -v -r ...

>  .SH "AUTHOR"
>  This man page was written by Dan Walsh <dwalsh@redhat.com>.
>  Some of the content of this man page was taken from the setfiles
> diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8
> index e04528e6..51d12a4d 100644
> --- a/policycoreutils/setfiles/restorecon_xattr.8
> +++ b/policycoreutils/setfiles/restorecon_xattr.8
> @@ -112,6 +112,13 @@ If the option is not specified, then the default file_contexts will be used.
>  .br
>  the pathname of the directory tree to be searched.
>  
> +.SH EXAMPLE
> +.nf
> +List all paths that where assigned a checksum by "restorecon/setfiles -D"
> +# restorecon_xattr -r /
> +Remove all non-matching checksums
> +# restorecon_xattr -rd /
> +
>  .SH "SEE ALSO"
>  .BR restorecon (8),
>  .BR setfiles (8)
> diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
> index bf26e161..892a5062 100644
> --- a/policycoreutils/setfiles/setfiles.8
> +++ b/policycoreutils/setfiles/setfiles.8
> @@ -289,6 +289,15 @@ and provided the
>  option is NOT set, files will be relabeled as required with the digests then
>  being updated provided there are no errors.
>  
> +.SH EXAMPLE
> +.nf
> +Fix labeling of /var/www/ including all sub-directories, using targeted policy file context definitions and list all context changes
> +# setfiles -v /etc/selinux/targeted/contexts/files/file_contexts /var/www/
> +List mislabeled files in user home directory and what the label should be based on targeted policy file context definitions
> +# setfiles -nv /etc/selinux/targeted/contexts/files/file_contexts ~
> +Fix labeling of files listed in file_list file, ignoring any that do not exist
> +# setfiles -vif file_list /etc/selinux/targeted/contexts/files/file_contexts
> +
>  .SH "AUTHOR"
>  This man page was written by Russell Coker <russell@coker.com.au>.
>  The program was written by Stephen Smalley <sds@tycho.nsa.gov>
> diff --git a/policycoreutils/setsebool/setsebool.8 b/policycoreutils/setsebool/setsebool.8
> index 52936f5a..f54664fb 100644
> --- a/policycoreutils/setsebool/setsebool.8
> +++ b/policycoreutils/setsebool/setsebool.8
> @@ -7,13 +7,13 @@ setsebool \- set SELinux boolean value
>  .I "[ \-PNV ] boolean value | bool1=val1 bool2=val2 ..."
>  
>  .SH "DESCRIPTION"
> -.B setsebool 
> -sets the current state of a particular SELinux boolean or a list of booleans 
> -to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it. 
> +.B setsebool
> +sets the current state of a particular SELinux boolean or a list of booleans
> +to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it.
>  
>  Without the \-P option, only the current boolean value is
> -affected; the boot-time default settings 
> -are not changed. 
> +affected; the boot-time default settings
> +are not changed.
>  
>  If the \-P option is given, all pending values are written to
>  the policy file on disk. So they will be persistent across reboots.
> @@ -22,6 +22,12 @@ If the \-N option is given, the policy on disk is not reloaded into the kernel.
>  
>  If the \-V option is given, verbose error messages will be printed from semanage libraries.
>  
> +.SH EXAMPLE
> +.nf
> +Enable container_use_devices boolean (will return to persistent value after reboot)
> +# setsebool container_use_devices 1
> +Persistently enable samba_create_home_dirs and samba_enable_home_dirs booleans
> +# setsebool -P samba_create_home_dirs=on samba_enable_home_dirs=on
>  
>  .SH AUTHOR
>  This manual page was written by Dan Walsh <dwalsh@redhat.com>.
> -- 
> 2.40.0

Re: [PATCH 2/5] python/sepolicy: Improve man pages

[Petr Lautrbach]

Vit Mojzis <vmojzis@redhat.com> writes:

> - Add missing options
> - Add examples
> - Emphasize keywords
> - Remove trailing whitespaces
>
> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
> ---
>  python/sepolicy/sepolicy-booleans.8    | 15 +++++++++++---
>  python/sepolicy/sepolicy-communicate.8 | 14 ++++++++++---
>  python/sepolicy/sepolicy-generate.8    | 28 ++++++++++++--------------
>  python/sepolicy/sepolicy-gui.8         |  4 ++--
>  python/sepolicy/sepolicy-interface.8   | 18 ++++++++++++++---
>  python/sepolicy/sepolicy-manpage.8     | 25 +++++++++++++++++------
>  python/sepolicy/sepolicy-network.8     | 17 ++++++++--------
>  python/sepolicy/sepolicy-transition.8  | 19 +++++++++++------
>  8 files changed, 93 insertions(+), 47 deletions(-)
>
> diff --git a/python/sepolicy/sepolicy-booleans.8 b/python/sepolicy/sepolicy-booleans.8
> index f8d8b56d..7f4b18e7 100644
> --- a/python/sepolicy/sepolicy-booleans.8
> +++ b/python/sepolicy/sepolicy-booleans.8
> @@ -8,12 +8,16 @@ sepolicy-booleans \- Query SELinux Policy to see description of booleans
>  .B sepolicy booleans [\-h] [ \-a | \-b booleanname ... ]
>  
>  .SH "DESCRIPTION"
> -sepolicy booleans will show all booleans and their descriptions, or you can 
> -choose individual booleans to display
> +.B sepolicy booleans
> +will show all booleans and their descriptions, or you can
> +choose individual booleans to display.
> +Please make sure that selinux-policy-devel is present in your system since it contains boolean descriptions extracted from the policy source code. Otherwise
> +.B sepolicy booleans
> +will only show descriptions generated based on boolean names.
>  
>  .SH "OPTIONS"
>  .TP
> -.I                \-h, \-\-help       
> +.I                \-h, \-\-help
>  Display help message
>  .TP
>  .I                \-a, \-\-all
> @@ -22,6 +26,11 @@ Display all boolean descriptions
>  .I                \-b, \-\-boolean
>  boolean to get description
>  
> +.SH EXAMPLE
> +.nf
> +List descriptions of samba_create_home_dirs and samba_enable_home_dirs booleans
> +# sepolicy booleans -b samba_create_home_dirs samba_enable_home_dirs
> +
>  .SH "AUTHOR"
>  This man page was written by Daniel Walsh <dwalsh@redhat.com>
>  
> diff --git a/python/sepolicy/sepolicy-communicate.8 b/python/sepolicy/sepolicy-communicate.8
> index 050aa475..5ecf6eff 100644
> --- a/python/sepolicy/sepolicy-communicate.8
> +++ b/python/sepolicy/sepolicy-communicate.8
> @@ -8,7 +8,9 @@ sepolicy-communicate \- Generate a report showing if two SELinux Policy Domains
>  .B sepolicy communicate [\-h] \-s SOURCE \-t TARGET [\-c TCLASS] [\-S SOURCEACCESS] [\-T TARGETACCESS]
>  
>  .SH "DESCRIPTION"
> -Use sepolicy communicate to examine SELinux Policy to if a source SELinux Domain can communicate with a target SELinux Domain.
> +Use
> +.B sepolicy communicate
> +to examine SELinux Policy and determine if a source SELinux Domain can communicate with a target SELinux Domain.
>  The default command looks to see if there are any file types that the source domain can write, which the target domain can read.
>  
>  .SH "OPTIONS"
> @@ -16,7 +18,7 @@ The default command looks to see if there are any file types that the source dom
>  .I                \-c, \-\-class
>  Specify the SELinux class which the source domain will attempt to communicate with the target domain.  (Default file)
>  .TP
> -.I                \-h, \-\-help       
> +.I                \-h, \-\-help
>  Display help message
>  .TP
>  .I                \-s, \-\-source
> @@ -31,9 +33,15 @@ Specify the target SELinux domain type.
>  .I                \-T, \-\-targetaccess
>  Specify the list of accesses used by the target SELinux domain type to receive communications from the source domain. Default Open, Read.
>  
> +.SH EXAMPLE
> +.nf
> +List types that can be used to communicate between samba daemon and apache server
> +# sepolicy communicate -s httpd_t -t smbd_t
> +Consider a type to be accessible by the source domain when it can be opened and appended to (as opposed to opened and written to)
> +# sepolicy communicate -s httpd_t -t smbd_t -S open,append
> +
>  .SH "AUTHOR"
>  This man page was written by Daniel Walsh <dwalsh@redhat.com>
>  
>  .SH "SEE ALSO"
>  sepolicy(8), selinux(8)
> -
> diff --git a/python/sepolicy/sepolicy-generate.8 b/python/sepolicy/sepolicy-generate.8
> index 0c5f998f..d5dd6442 100644
> --- a/python/sepolicy/sepolicy-generate.8
> +++ b/python/sepolicy/sepolicy-generate.8
> @@ -57,32 +57,29 @@ path. \fBsepolicy generate\fP will use the rpm payload of the
>  application along with \fBnm \-D APPLICATION\fP to help it generate
>  types and policy rules for your policy files.
>  
> -.B Type Enforcing File NAME.te
> +.B Type Enforcement File NAME.te

I think that NAME.te, NAME.fc, NAME.if  would be better as it simply
follows created file names.


>  .br
> -This file can be used to define all the types rules for a particular domain.
> +This file can be used to define all the types enforcement rules for a particular domain.
>  
>  .I Note:
> -Policy generated by \fBsepolicy generate\fP will automatically add a permissive DOMAIN to your te file.  When you are satisfied that your policy works, you need to remove the permissive line from the te file to run your domain in enforcing mode.
> +Policy generated by \fBsepolicy generate\fP will automatically add a \fIpermissive DOMAIN\fP to your \fB.te\fP file. When you are satisfied that your policy works, you need to remove the permissive line from the \fB.te\fP file to run your domain in enforcing mode.
>  
>  .B Interface File NAME.if
>  .br
> -This file defines the interfaces for the types generated in the te file, which can be used by other policy domains.
> +This file defines the interfaces for the types generated in the \fB.te\fP file, which can be used by other policy domains.
>  
> -.B File Context NAME.fc
> +.B File Context File NAME.fc


>  .br
> -This file defines the default file context for the system, it takes the file types created in the te file and associates
> +This file defines the default file context for the system, it takes the file types created in the \fB.te\fP file and associates
>  file paths to the types.  Tools like restorecon and RPM will use these paths to put down labels.
>  
>  .B RPM Spec File NAME_selinux.spec
>  .br
> -This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy.  You can use \fBsepolicy manpage \-d NAME\fP to generate the man page.
> +This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use \fBsepolicy manpage \-d NAME\fP to generate the man page.
>  
>  .B Shell File NAME.sh
>  .br
> -This is a helper shell script to compile, install and fix the labeling on your test system.  It will also generate a man page based on the installed policy, and
> -compile and build an RPM suitable to be installed on other machines
> -
> -If a generate is possible, this tool will print out all generate paths from the source domain to the target domain
> +This is a helper shell script to compile, install and fix the labeling on your test system. It will also generate a man page based on the installed policy, and compile and build an RPM suitable to be installed on other machines.
>  
>  .SH "OPTIONS"
>  .TP
> @@ -97,10 +94,11 @@ Specify alternate name of policy. The policy will default to the executable or n
>  .TP
>  .I                \-p, \-\-path
>  Specify the directory to store the created policy files. (Default to current working directory )
> +.TP
>  optional arguments:
>  .TP
>  .I                \-r, \-\-role
> -Enter role(s) to which this admin user will transition.
> +Enter role(s) to which this admin user will transition
>  .TP
>  .I                \-t, \-\-type
>  Enter type(s) for which you will generate new definition and rule(s)
> @@ -109,12 +107,12 @@ Enter type(s) for which you will generate new definition and rule(s)
>  SELinux user(s) which will transition to this domain
>  .TP
>  .I                \-w, \-\-writepath
> -Path(s) which the confined processes need to write
> +Path(s) which the confined processes need to write to
>  .TP
>  .I                \-a, \-\-admin
>  Domain(s) which the confined admin will administrate
>  .TP
> -.I  \-\-admin_user 
> +.I  \-\-admin_user
>  Generate Policy for Administrator Login User Role
>  .TP
>  .I  \-\-application
> @@ -142,7 +140,7 @@ Generate Policy for Internet Services Daemon
>  Generate Policy for Standard Init Daemon (Default)
>  .TP
>  .I  \-\-newtype
> -Generate new policy for new types to add to an existing policy.
> +Generate new policy for new types to add to an existing policy
>  .TP
>  .I  \-\-sandbox
>  Generate Policy for Sandbox
> diff --git a/python/sepolicy/sepolicy-gui.8 b/python/sepolicy/sepolicy-gui.8
> index ed744cdb..65b69fab 100644
> --- a/python/sepolicy/sepolicy-gui.8
> +++ b/python/sepolicy/sepolicy-gui.8
> @@ -11,7 +11,7 @@ Common options
>  .br
>  
>  .SH "DESCRIPTION"
> -Use \fBsepolicy gui\fP to run a the graphical user interface, which
> +Use \fBsepolicy gui\fP to run the graphical user interface, which
>  allows you to explore how SELinux confines different process domains.
>  
>  .SH "OPTIONS"
> @@ -20,7 +20,7 @@ allows you to explore how SELinux confines different process domains.
>  Display help message
>  .TP
>  .I                \-d, \-\-domain
> -Initialize gui to the selected domain.
> +Initialize gui to the selected domain
>  
>  .SH "AUTHOR"
>  This man page was written by Daniel Walsh <dwalsh@redhat.com>
> diff --git a/python/sepolicy/sepolicy-interface.8 b/python/sepolicy/sepolicy-interface.8
> index 3e74ea62..a70a9306 100644
> --- a/python/sepolicy/sepolicy-interface.8
> +++ b/python/sepolicy/sepolicy-interface.8
> @@ -5,10 +5,10 @@ sepolicy-interface \- Print interface information based on the installed SELinux
>  .SH "SYNOPSIS"
>  
>  .br
> -.B sepolicy interface  [\-h] [\-c] [\-v] [\-a | \-u | \-l | \-i INTERFACE [INTERFACE ... ]]
> +.B sepolicy interface  [\-h] [\-c] [\-v] [\-f FILE] [\-a | \-u | \-l | \-i INTERFACE [INTERFACE ... ]]
>  
>  .SH "DESCRIPTION"
> -Use sepolicy interface to print interfaces information based on SELinux Policy.
> +Use \fBsepolicy interface\fP to print interface information based on SELinux Policy.
>  
>  .SH "OPTIONS"
>  .TP
> @@ -18,7 +18,7 @@ List all domains with admin interface
>  .I                \-c, \-\-compile
>  Test compile of interfaces
>  .TP
> -.I                \-h, \-\-help       
> +.I                \-h, \-\-help
>  Display help message
>  .TP
>  .I                \-i, \-\-interface
> @@ -32,6 +32,18 @@ List all domains with SELinux user role interface
>  .TP
>  .I                \-v, \-\-verbose
>  Display extended information about the interface including parameters and description if available.
> +.TP
> +.I                \-f, \-\-file
> +Interface file to be explored
> +
> +.SH EXAMPLE
> +.nf
> +Show description of given interface
> +# sepolicy interface -vi samba_rw_config
> +List interfaces in given interface file and show their description
> +# sepolicy interface -f my_policy.if -lv
> +Run compile test for all interfaces in given file
> +# sepolicy interface -f my_policy.if -lc
>  
>  .SH "AUTHOR"
>  This man page was written by Daniel Walsh <dwalsh@redhat.com>
> diff --git a/python/sepolicy/sepolicy-manpage.8 b/python/sepolicy/sepolicy-manpage.8
> index c05c9430..4991f645 100644
> --- a/python/sepolicy/sepolicy-manpage.8
> +++ b/python/sepolicy/sepolicy-manpage.8
> @@ -8,27 +8,40 @@ sepolicy-manpage \- Generate a man page based on the installed SELinux Policy
>  .B sepolicy manpage [\-w] [\-h] [\-p PATH ] [\-r ROOTDIR ] [\-a | \-d ]
>  
>  .SH "DESCRIPTION"
> -Use sepolicy manpage to generate manpages based on SELinux Policy.
> +Use \fBsepolicy manpage\fP to generate manpages based on SELinux Policy.
>  
>  .SH "OPTIONS"
>  .TP
> -.I                \-a, \-\-all        
> +.I                \-a, \-\-all
>  Generate Man Pages for All Domains
>  .TP
> -.I                \-d, \-\-domain     
> +.I                \-d, \-\-domain
>  Generate a Man Page for the specified domain. (Supports multiple commands)
>  .TP
> -.I                \-h, \-\-help       
> +.I                \-h, \-\-help
>  Display help message
>  .TP
> +.I                \-o, \-\-os
> +Specify the name of the OS to be used in the man page (only affects HTML man pages)
> +.TP
>  .I                \-p, \-\-path
>  Specify the directory to store the created man pages. (Default to /tmp)
>  .TP
>  .I                \-r, \-\-root
> -Specify alternate root directory to generate man pages from. (Default to /)
> +Specify alternative root directory to generate man pages from. (Default to /)
> +.TP
> +.I                \-\-source_files
> +Use file_contexts and policy.xml files from the specified root directory (the alternative root needs to include both files)
>  .TP
>  .I                \-w, \-\-web
> -Generate an additional HTML man pages for the specified domain(s).
> +Generate an additional HTML man pages for the specified domain(s)
> +
> +.SH EXAMPLE
> +.nf
> +Generate man pages for all available domains
> +# sepolicy manpage -a
> +Generate an HTML man page for domain alsa_t, setting the OS name to "My_distro"
> +# sepolicy manpage -o My_distro -d alsa_t -w
>  
>  .SH "AUTHOR"
>  This man page was written by Daniel Walsh <dwalsh@redhat.com>
> diff --git a/python/sepolicy/sepolicy-network.8 b/python/sepolicy/sepolicy-network.8
> index dcddec75..6faf60ab 100644
> --- a/python/sepolicy/sepolicy-network.8
> +++ b/python/sepolicy/sepolicy-network.8
> @@ -8,27 +8,27 @@ sepolicy-network \- Examine the SELinux Policy and generate a network report
>  .B sepolicy network [\-h] (\-l | \-a application [application ...] | \-p PORT [PORT ...] | \-t TYPE [TYPE ...] | \-d DOMAIN [DOMAIN ...])
>  
>  .SH "DESCRIPTION"
> -Use sepolicy network to examine SELinux Policy and generate network reports.
> +Use \fBsepolicy network\fP to examine SELinux Policy and generate network reports.
>  
>  .SH "OPTIONS"
>  .TP
>  .I                \-a, \-\-application
> -Generate a report listing the ports to which the specified init application is allowed to connect and or bind.
> +Generate a report listing the ports to which the specified init application is allowed to connect and or bind
>  .TP
> -.I                \-d, \-\-domain     
> -Generate a report listing the ports to which the specified domain is allowed to connect and or bind.
> +.I                \-d, \-\-domain
> +Generate a report listing the ports to which the specified domain is allowed to connect and or bind
>  .TP
> -.I                \-l, \-\-list        
> +.I                \-l, \-\-list
>  List all Network Port Types defined in SELinux Policy
>  .TP
> -.I                \-h, \-\-help       
> +.I                \-h, \-\-help
>  Display help message
>  .TP
>  .I                \-t, \-\-type
> -Generate a report listing the port numbers associate with the specified SELinux port type.
> +Generate a report listing the port numbers associate with the specified SELinux port type
>  .TP
>  .I                \-p, \-\-port
> -Generate a report listing the SELinux port types associate with the specified port number.
> +Generate a report listing the SELinux port types associate with the specified port number
>  
>  .SH "EXAMPLES"
>  
> @@ -88,4 +88,3 @@ This man page was written by Daniel Walsh <dwalsh@redhat.com>
>  
>  .SH "SEE ALSO"
>  sepolicy(8), selinux(8), semanage(8)
> -
> diff --git a/python/sepolicy/sepolicy-transition.8 b/python/sepolicy/sepolicy-transition.8
> index 897f0c4c..9f9ff5a5 100644
> --- a/python/sepolicy/sepolicy-transition.8
> +++ b/python/sepolicy/sepolicy-transition.8
> @@ -11,21 +11,28 @@ sepolicy-transition \- Examine the SELinux Policy and generate a process transit
>  .B sepolicy transition [\-h] \-s SOURCE \-t TARGET
>  
>  .SH "DESCRIPTION"
> -sepolicy transition will show all domains that a give SELinux source domain can transition to, including the entrypoint.
> +\fBsepolicy transition\fP will show all domains that a given SELinux source domain can transition to, including the entrypoint.
>  
> -If a target domain is given, sepolicy transition will examine policy for all transition paths from the source domain to the target domain, and will list the 
> -paths.  If a transition is possible, this tool will print out all transition paths from the source domain to the target domain
> +If a target domain is given, sepolicy transition will examine policy for all transition paths from the source domain to the target domain, and will list the
> +paths.
>  
>  .SH "OPTIONS"
>  .TP
> -.I                \-h, \-\-help       
> +.I                \-h, \-\-help
>  Display help message
>  .TP
>  .I                \-s, \-\-source
> -Specify the source SELinux domain type.
> +Specify the source SELinux domain type
>  .TP
>  .I                \-t, \-\-target
> -Specify the target SELinux domain type.
> +Specify the target SELinux domain type
> +
> +.SH EXAMPLE
> +.nf
> +List all domain transition paths from init_t to httpd_t
> +# sepolicy transition -s init_t -t httpd_t
> +List all transitions available from samba domain, including entry points and booleans controlling each transition
> +# sepolicy transition -s smbd_t
>  
>  .SH "AUTHOR"
>  This man page was written by Daniel Walsh <dwalsh@redhat.com>
> -- 
> 2.40.0

Re: [PATCH 4/5] checkpolicy: Add examples to man pages

[Petr Lautrbach]

Vit Mojzis <vmojzis@redhat.com> writes:

> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
> ---
>  checkpolicy/checkpolicy.8 | 15 +++++++++++++--
>  1 file changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8
> index 2984c238..aefa148c 100644
> --- a/checkpolicy/checkpolicy.8
> +++ b/checkpolicy/checkpolicy.8
> @@ -12,8 +12,8 @@ command.
>  .PP
>  .B checkpolicy
>  is a program that checks and compiles a SELinux security policy configuration
> -into a binary representation that can be loaded into the kernel.  If no 
> -input file name is specified,
> +into a binary representation that can be loaded into the kernel.
> +If no input file name is specified,
>  .B checkpolicy
>  will attempt to read from policy.conf or policy, depending on whether the \-b
>  flag is specified.
> @@ -64,6 +64,17 @@ Show version information.
>  .B \-h,\-\-help
>  Show usage information.
>  
> +.SH EXAMPLE
> +.nf
> +Generate policy.conf based on the system policy
> +# checkpolicy -b -M -F /etc/selinux/targeted/policy/policy.* -o policy.conf

Would not work on a system with multiple policy files:

# ls -l /etc/selinux/targeted/policy/
total 7016
-rw-r--r--. 1 root root 3590656 May 31 16:42 policy.32
-rw-r--r--. 1 root root 3590656 May 29 08:22 policy.33

# checkpolicy -b -M -F /etc/selinux/targeted/policy/policy.* -o policy.conf
usage:  checkpolicy [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] [-c policyvers (15-33)] [-o output_file|-] [-S] [-O] [-t target_platform (selinux,xen)] [-E] [-V] [input_file]

In EXAMPLES I think it's safe to use policy.33 everywhere. 

> +Recompile system policy so that unknown permissions are denied (uses policy.conf from ^^).
> +Note that binary policy extension represents its version, which is subject to change
> +# checkpolicy -M -U deny -o /etc/selinux/targeted/policy/policy.33 policy.conf
> +# load_policy
> +Generate CIL representation of current system policy
> +# checkpolicy -b -M -C /etc/selinux/targeted/policy/policy.* -o policy.out
> +
>  .SH "SEE ALSO"
>  SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki
>  
> -- 
> 2.40.0

Re: [PATCH 5/5] libselinux: Add examples to man pages

[Petr Lautrbach]

Vit Mojzis <vmojzis@redhat.com> writes:

> Also fix some typos and remove trailing whitespaces.
>
> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
>

Acked-by: Petr Lautrbach <lautrbach@redhat.com>

> ---
>  libselinux/man/man8/getsebool.8    | 18 +++++++++++-------
>  libselinux/man/man8/matchpathcon.8 | 19 +++++++++++++------
>  2 files changed, 24 insertions(+), 13 deletions(-)
>
> diff --git a/libselinux/man/man8/getsebool.8 b/libselinux/man/man8/getsebool.8
> index d70bf1e4..9e36f04f 100644
> --- a/libselinux/man/man8/getsebool.8
> +++ b/libselinux/man/man8/getsebool.8
> @@ -1,6 +1,6 @@
>  .TH "getsebool" "8" "11 Aug 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
>  .SH "NAME"
> -getsebool \- get SELinux boolean value(s) 
> +getsebool \- get SELinux boolean value(s)
>  .
>  .SH "SYNOPSIS"
>  .B getsebool
> @@ -8,17 +8,16 @@ getsebool \- get SELinux boolean value(s)
>  .RI [ boolean ]
>  .
>  .SH "DESCRIPTION"
> -.B getsebool 
> -reports where a particular SELinux boolean or
> -all SELinux booleans are on or off
> -In certain situations a boolean can be in one state with a pending 
> -change to the other state.  getsebool will report this as a pending change.
> +.B getsebool
> +reports whether a particular SELinux boolean, or all SELinux booleans, are on or off.
> +In certain situations a boolean can be in one state with a pending
> +change to the other state. getsebool will report this as a pending change.
>  The pending value indicates
>  the value that will be applied upon the next boolean commit.
>  
>  The setting of boolean values occurs in two stages; first the pending
>  value is changed, then the booleans are committed, causing their
> -active values to become their pending values.  This allows a group of
> +active values to become their pending values. This allows a group of
>  booleans to be changed in a single transaction, by setting all of
>  their pending values as desired and then committing once.
>  .
> @@ -27,6 +26,11 @@ their pending values as desired and then committing once.
>  .B \-a
>  Show all SELinux booleans.
>  .
> +.SH EXAMPLE
> +.nf
> +Show current state of httpd_can_connect_ftp
> +# getsebool httpd_can_connect_ftp
> +.
>  .SH AUTHOR
>  This manual page was written by Dan Walsh <dwalsh@redhat.com>.
>  The program was written by Tresys Technology.
> diff --git a/libselinux/man/man8/matchpathcon.8 b/libselinux/man/man8/matchpathcon.8
> index 50c0d392..6d848f43 100644
> --- a/libselinux/man/man8/matchpathcon.8
> +++ b/libselinux/man/man8/matchpathcon.8
> @@ -25,8 +25,8 @@ queries the system policy and outputs the default security context associated wi
>  Identical paths can have different security contexts, depending on the file
>  type (regular file, directory, link file, char file ...).
>  
> -.B matchpathcon 
> -will also take the file type into consideration in determining the default security context if the file exists.  If the file does not exist, no file type matching will occur.
> +.B matchpathcon
> +will also take the file type into consideration in determining the default security context if the file exists. If the file does not exist, no file type matching will occur.
>  .
>  .SH OPTIONS
>  .TP
> @@ -34,19 +34,19 @@ will also take the file type into consideration in determining the default secur
>  Force file type for the lookup.
>  Valid types are
>  .BR file ", " dir ", "pipe ", " chr_file ", " blk_file ", "
> -.BR lnk_file ", " sock_file .
> +.BR lnk_file ", " sock_file
>  .TP
>  .B \-n
> -Do not display path.
> +Do not display path
>  .TP
>  .B \-N
> -Do not use translations.
> +Do not use translations
>  .TP
>  .BI \-f " file_context_file"
>  Use alternate file_context file
>  .TP
>  .BI \-p " prefix"
> -Use prefix to speed translations
> +Use prefix to speed up translations
>  .TP
>  .BI \-P " policy_root_path"
>  Use alternate policy root path
> @@ -54,6 +54,13 @@ Use alternate policy root path
>  .B \-V
>  Verify file context on disk matches defaults
>  .
> +.SH EXAMPLE
> +.nf
> +Show the default label of sock_file cups.sock
> +# matchpathcon -m sock_file /var/run/cups/cups.sock
> +Verify that /var/www/html directory is labeled correctly (the content of the folder is not checked)
> +# matchpathcon -V /var/www/html
> +.
>  .SH AUTHOR
>  This manual page was written by Dan Walsh <dwalsh@redhat.com>.
>  .
> -- 
> 2.40.0

[PATCH v2 1/5] policycoreutils: Add examples to man pages

[Vit Mojzis]

While at it, remove trailing whitespaces.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 policycoreutils/scripts/fixfiles.8          | 34 +++++++++++++--------
 policycoreutils/secon/secon.1               | 12 ++++++--
 policycoreutils/semodule/semodule.8         | 14 ++++-----
 policycoreutils/setfiles/restorecon.8       |  9 ++++++
 policycoreutils/setfiles/restorecon_xattr.8 |  7 +++++
 policycoreutils/setfiles/setfiles.8         |  9 ++++++
 policycoreutils/setsebool/setsebool.8       | 16 +++++++---
 7 files changed, 74 insertions(+), 27 deletions(-)

diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index 9a317d91..928b8200 100644
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@@ -14,7 +14,7 @@ fixfiles \- fix file SELinux security contexts.
 .B fixfiles
 .I [\-v] [\-F] [\-B | \-N time ] [\-T nthreads] { check | restore | verify }
 
-.B fixfiles 
+.B fixfiles
 .I [\-v] [\-F] [\-T nthreads] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify }
 
 .B fixfiles
@@ -31,7 +31,7 @@ This manual page describes the
 script.
 .P
 This script is primarily used to correct the security context
-database (extended attributes) on filesystems.  
+database (extended attributes) on filesystems.
 .P
 It can also be run at any time to relabel when adding support for
 new policy, or  just check whether the file contexts are all
@@ -41,29 +41,29 @@ option.  You can use the \-R flag to use rpmpackages as an alternative.
 The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
 excluded from relabeling.
 .P
-.B fixfiles onboot 
+.B fixfiles onboot
 will setup the machine to relabel on the next reboot.
 
 .SH "OPTIONS"
-.TP 
+.TP
 .B \-B
 If specified with onboot, this fixfiles will record the current date in the /.autorelabel file, so that it can be used later to speed up labeling. If used with restore, the restore will only affect files that were modified today.
 .TP
 .B \-F
 Force reset of context to match file_context for customizable files
 
-.TP 
+.TP
 .B \-f
 Clear /tmp directory with out prompt for removal.
 
-.TP 
+.TP
 .B \-R rpmpackagename[,rpmpackagename...]
 Use the rpm database to discover all files within the specified packages and restore the file contexts.
 .TP
 .B \-C PREVIOUS_FILECONTEXT
 Run a diff on  the PREVIOUS_FILECONTEXT file to the currently installed one, and restore the context of all affected files.
 
-.TP 
+.TP
 .B \-N time
 Only act on files created after the specified date.  Date must be specified in
 "YYYY\-MM\-DD HH:MM" format.  Date field will be passed to find \-\-newermt command.
@@ -83,19 +83,28 @@ Use parallel relabeling, see
 
 .SH "ARGUMENTS"
 One of:
-.TP 
+.TP
 .B check | verify
 print any incorrect file context labels, showing old and new context, but do not change them.
-.TP 
+.TP
 .B restore
 change any incorrect file context labels.
-.TP 
+.TP
 .B relabel
 Prompt for removal of contents of /tmp directory and then change any incorrect file context labels to match the install file_contexts file.
-.TP 
-.B [[dir/file] ... ] 
+.TP
+.B [[dir/file] ... ]
 List of files or directories trees that you wish to check file context on.
 
+.SH EXAMPLE
+.nf
+Relabel the whole filesystem, except paths listed in /etc/selinux/fixfiles_exclude_dirs
+# fixfiles relabel
+Schedule the machine to relabel on the next boot and force relabeling of customizable types
+# fixfiles -F onboot
+Check labeling of all files from the samba package (while not changing any labels)
+# fixfiles -R samba check
+
 .SH "AUTHOR"
 This man page was written by Richard Hally <rhally@mindspring.com>.
 The script  was written by Dan Walsh <dwalsh@redhat.com>
@@ -103,4 +112,3 @@ The script  was written by Dan Walsh <dwalsh@redhat.com>
 .SH "SEE ALSO"
 .BR setfiles (8),
 .BR restorecon (8)
-
diff --git a/policycoreutils/secon/secon.1 b/policycoreutils/secon/secon.1
index 501b5cb8..c0e8b05a 100644
--- a/policycoreutils/secon/secon.1
+++ b/policycoreutils/secon/secon.1
@@ -107,16 +107,24 @@ then the context will be read from stdin.
 .br
 If there is no argument,
 .B secon
-will try reading a context from stdin, if that is not a tty, otherwise 
+will try reading a context from stdin, if that is not a tty, otherwise
 .B secon
 will act as though \fB\-\-self\fR had been passed.
 .PP
 If none of \fB\-\-user\fR, \fB\-\-role\fR, \fB\-\-type\fR, \fB\-\-level\fR or
 \fB\-\-mls\-range\fR is passed.
 Then all of them will be output.
+
+.SH EXAMPLE
+.nf
+Show SElinux context of the init process
+# secon --pid 1
+Parse the type portion of given security context
+# secon -t system_u:object_r:httpd_sys_rw_content_t:s0
+
 .PP
 .SH SEE ALSO
 .BR chcon (1)
 .SH AUTHORS
 .nf
-James Antill (james.antill@redhat.com) 
+James Antill (james.antill@redhat.com)
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index c56e580f..01757b00 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -1,5 +1,5 @@
 .TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA
-.SH NAME 
+.SH NAME
 semodule \- Manage SELinux policy modules.
 
 .SH SYNOPSIS
@@ -8,7 +8,7 @@ semodule \- Manage SELinux policy modules.
 .SH DESCRIPTION
 .PP
 semodule is the tool used to manage SELinux policy modules,
-including installing, upgrading, listing and removing modules.  
+including installing, upgrading, listing and removing modules.
 semodule may also be used to force a rebuild of policy from the
 module store and/or to force a reload of policy without performing
 any other transaction.  semodule acts on module packages created
@@ -39,7 +39,7 @@ install/replace a module package
 .B  \-u,\-\-upgrade=MODULE_PKG
 deprecated, alias for --install
 .TP
-.B  \-b,\-\-base=MODULE_PKG   
+.B  \-b,\-\-base=MODULE_PKG
 deprecated, alias for --install
 .TP
 .B  \-r,\-\-remove=MODULE_NAME
@@ -77,7 +77,7 @@ name of the store to operate on
 .B  \-n,\-\-noreload,\-N
 do not reload policy after commit
 .TP
-.B  \-h,\-\-help        
+.B  \-h,\-\-help
 prints help message and quit
 .TP
 .B \-P,\-\-preserve_tunables
@@ -92,7 +92,7 @@ Use an alternate path for the policy root
 .B \-S,\-\-store-path
 Use an alternate path for the policy store root
 .TP
-.B  \-v,\-\-verbose     
+.B  \-v,\-\-verbose
 be verbose
 .TP
 .B  \-c,\-\-cil
@@ -131,8 +131,6 @@ $ semodule \-B
 $ semodule \-d alsa
 # Install a module at a specific priority.
 $ semodule \-X 100 \-i alsa.pp
-# List all modules.
-$ semodule \-\-list=full
 # Set an alternate path for the policy root
 $ semodule \-B \-p "/tmp"
 # Set an alternate path for the policy store root
@@ -143,6 +141,8 @@ $ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
 # Check whether a module in "localmodule.pp" file is same as installed module "localmodule"
 $ /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
 $ semodule -l -m | grep localmodule
+# Translate binary module file into CIL (useful for debugging installation errors)
+$ /usr/libexec/selinux/hll/pp alsa.pp > alsa.cil
 .fi
 
 .SH SEE ALSO
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index e07db2c8..c3cc5c9b 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -224,6 +224,15 @@ and provided the
 option is NOT set and recursive mode is set, files will be relabeled as
 required with the digests then being updated provided there are no errors.
 
+.SH EXAMPLE
+.nf
+Fix labeling of /var/www/ including all sub-directories and list all context changes
+# restorecon -rv /var/www/
+List mislabeled files in user home directory and what the correct label should be
+# restorecon -nvr ~
+Fix labeling of files listed in file_list file, ignoring any that do not exist
+# restorecon -vif file_list
+
 .SH "AUTHOR"
 This man page was written by Dan Walsh <dwalsh@redhat.com>.
 Some of the content of this man page was taken from the setfiles
diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8
index e04528e6..51d12a4d 100644
--- a/policycoreutils/setfiles/restorecon_xattr.8
+++ b/policycoreutils/setfiles/restorecon_xattr.8
@@ -112,6 +112,13 @@ If the option is not specified, then the default file_contexts will be used.
 .br
 the pathname of the directory tree to be searched.
 
+.SH EXAMPLE
+.nf
+List all paths that where assigned a checksum by "restorecon/setfiles -D"
+# restorecon_xattr -r /
+Remove all non-matching checksums
+# restorecon_xattr -rd /
+
 .SH "SEE ALSO"
 .BR restorecon (8),
 .BR setfiles (8)
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index bf26e161..892a5062 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -289,6 +289,15 @@ and provided the
 option is NOT set, files will be relabeled as required with the digests then
 being updated provided there are no errors.
 
+.SH EXAMPLE
+.nf
+Fix labeling of /var/www/ including all sub-directories, using targeted policy file context definitions and list all context changes
+# setfiles -v /etc/selinux/targeted/contexts/files/file_contexts /var/www/
+List mislabeled files in user home directory and what the label should be based on targeted policy file context definitions
+# setfiles -nv /etc/selinux/targeted/contexts/files/file_contexts ~
+Fix labeling of files listed in file_list file, ignoring any that do not exist
+# setfiles -vif file_list /etc/selinux/targeted/contexts/files/file_contexts
+
 .SH "AUTHOR"
 This man page was written by Russell Coker <russell@coker.com.au>.
 The program was written by Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/policycoreutils/setsebool/setsebool.8 b/policycoreutils/setsebool/setsebool.8
index 52936f5a..f54664fb 100644
--- a/policycoreutils/setsebool/setsebool.8
+++ b/policycoreutils/setsebool/setsebool.8
@@ -7,13 +7,13 @@ setsebool \- set SELinux boolean value
 .I "[ \-PNV ] boolean value | bool1=val1 bool2=val2 ..."
 
 .SH "DESCRIPTION"
-.B setsebool 
-sets the current state of a particular SELinux boolean or a list of booleans 
-to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it. 
+.B setsebool
+sets the current state of a particular SELinux boolean or a list of booleans
+to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it.
 
 Without the \-P option, only the current boolean value is
-affected; the boot-time default settings 
-are not changed. 
+affected; the boot-time default settings
+are not changed.
 
 If the \-P option is given, all pending values are written to
 the policy file on disk. So they will be persistent across reboots.
@@ -22,6 +22,12 @@ If the \-N option is given, the policy on disk is not reloaded into the kernel.
 
 If the \-V option is given, verbose error messages will be printed from semanage libraries.
 
+.SH EXAMPLE
+.nf
+Enable container_use_devices boolean (will return to persistent value after reboot)
+# setsebool container_use_devices 1
+Persistently enable samba_create_home_dirs and samba_enable_home_dirs booleans
+# setsebool -P samba_create_home_dirs=on samba_enable_home_dirs=on
 
 .SH AUTHOR
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-- 
2.40.0

[PATCH v2 2/5] python/sepolicy: Improve man pages

[Vit Mojzis]

- Add missing options
- Add examples
- Emphasize keywords
- Remove trailing whitespaces

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 python/sepolicy/sepolicy-booleans.8    | 15 +++++++++---
 python/sepolicy/sepolicy-communicate.8 | 14 ++++++++---
 python/sepolicy/sepolicy-generate.8    | 34 ++++++++++++--------------
 python/sepolicy/sepolicy-gui.8         |  4 +--
 python/sepolicy/sepolicy-interface.8   | 18 +++++++++++---
 python/sepolicy/sepolicy-manpage.8     | 25 ++++++++++++++-----
 python/sepolicy/sepolicy-network.8     | 17 ++++++-------
 python/sepolicy/sepolicy-transition.8  | 19 +++++++++-----
 8 files changed, 96 insertions(+), 50 deletions(-)

diff --git a/python/sepolicy/sepolicy-booleans.8 b/python/sepolicy/sepolicy-booleans.8
index f8d8b56d..7f4b18e7 100644
--- a/python/sepolicy/sepolicy-booleans.8
+++ b/python/sepolicy/sepolicy-booleans.8
@@ -8,12 +8,16 @@ sepolicy-booleans \- Query SELinux Policy to see description of booleans
 .B sepolicy booleans [\-h] [ \-a | \-b booleanname ... ]
 
 .SH "DESCRIPTION"
-sepolicy booleans will show all booleans and their descriptions, or you can 
-choose individual booleans to display
+.B sepolicy booleans
+will show all booleans and their descriptions, or you can
+choose individual booleans to display.
+Please make sure that selinux-policy-devel is present in your system since it contains boolean descriptions extracted from the policy source code. Otherwise
+.B sepolicy booleans
+will only show descriptions generated based on boolean names.
 
 .SH "OPTIONS"
 .TP
-.I                \-h, \-\-help       
+.I                \-h, \-\-help
 Display help message
 .TP
 .I                \-a, \-\-all
@@ -22,6 +26,11 @@ Display all boolean descriptions
 .I                \-b, \-\-boolean
 boolean to get description
 
+.SH EXAMPLE
+.nf
+List descriptions of samba_create_home_dirs and samba_enable_home_dirs booleans
+# sepolicy booleans -b samba_create_home_dirs samba_enable_home_dirs
+
 .SH "AUTHOR"
 This man page was written by Daniel Walsh <dwalsh@redhat.com>
 
diff --git a/python/sepolicy/sepolicy-communicate.8 b/python/sepolicy/sepolicy-communicate.8
index 050aa475..5ecf6eff 100644
--- a/python/sepolicy/sepolicy-communicate.8
+++ b/python/sepolicy/sepolicy-communicate.8
@@ -8,7 +8,9 @@ sepolicy-communicate \- Generate a report showing if two SELinux Policy Domains
 .B sepolicy communicate [\-h] \-s SOURCE \-t TARGET [\-c TCLASS] [\-S SOURCEACCESS] [\-T TARGETACCESS]
 
 .SH "DESCRIPTION"
-Use sepolicy communicate to examine SELinux Policy to if a source SELinux Domain can communicate with a target SELinux Domain.
+Use
+.B sepolicy communicate
+to examine SELinux Policy and determine if a source SELinux Domain can communicate with a target SELinux Domain.
 The default command looks to see if there are any file types that the source domain can write, which the target domain can read.
 
 .SH "OPTIONS"
@@ -16,7 +18,7 @@ The default command looks to see if there are any file types that the source dom
 .I                \-c, \-\-class
 Specify the SELinux class which the source domain will attempt to communicate with the target domain.  (Default file)
 .TP
-.I                \-h, \-\-help       
+.I                \-h, \-\-help
 Display help message
 .TP
 .I                \-s, \-\-source
@@ -31,9 +33,15 @@ Specify the target SELinux domain type.
 .I                \-T, \-\-targetaccess
 Specify the list of accesses used by the target SELinux domain type to receive communications from the source domain. Default Open, Read.
 
+.SH EXAMPLE
+.nf
+List types that can be used to communicate between samba daemon and apache server
+# sepolicy communicate -s httpd_t -t smbd_t
+Consider a type to be accessible by the source domain when it can be opened and appended to (as opposed to opened and written to)
+# sepolicy communicate -s httpd_t -t smbd_t -S open,append
+
 .SH "AUTHOR"
 This man page was written by Daniel Walsh <dwalsh@redhat.com>
 
 .SH "SEE ALSO"
 sepolicy(8), selinux(8)
-
diff --git a/python/sepolicy/sepolicy-generate.8 b/python/sepolicy/sepolicy-generate.8
index 0c5f998f..72d0e8e4 100644
--- a/python/sepolicy/sepolicy-generate.8
+++ b/python/sepolicy/sepolicy-generate.8
@@ -57,32 +57,29 @@ path. \fBsepolicy generate\fP will use the rpm payload of the
 application along with \fBnm \-D APPLICATION\fP to help it generate
 types and policy rules for your policy files.
 
-.B Type Enforcing File NAME.te
+.B NAME.te
 .br
-This file can be used to define all the types rules for a particular domain.
+This file can be used to define all the types enforcement rules for a particular domain.
 
 .I Note:
-Policy generated by \fBsepolicy generate\fP will automatically add a permissive DOMAIN to your te file.  When you are satisfied that your policy works, you need to remove the permissive line from the te file to run your domain in enforcing mode.
+Policy generated by \fBsepolicy generate\fP will automatically add a \fIpermissive DOMAIN\fP to your \fB.te\fP file. When you are satisfied that your policy works, you need to remove the permissive line from the \fB.te\fP file to run your domain in enforcing mode.
 
-.B Interface File NAME.if
+.B NAME.if
 .br
-This file defines the interfaces for the types generated in the te file, which can be used by other policy domains.
+This file defines the interfaces for the types generated in the \fB.te\fP file, which can be used by other policy domains.
 
-.B File Context NAME.fc
+.B NAME.fc
 .br
-This file defines the default file context for the system, it takes the file types created in the te file and associates
+This file defines the default file context for the system, it takes the file types created in the \fB.te\fP file and associates
 file paths to the types.  Tools like restorecon and RPM will use these paths to put down labels.
 
-.B RPM Spec File NAME_selinux.spec
+.B NAME_selinux.spec
 .br
-This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy.  You can use \fBsepolicy manpage \-d NAME\fP to generate the man page.
+This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use \fBsepolicy manpage \-d NAME\fP to generate the man page.
 
-.B Shell File NAME.sh
+.B NAME.sh
 .br
-This is a helper shell script to compile, install and fix the labeling on your test system.  It will also generate a man page based on the installed policy, and
-compile and build an RPM suitable to be installed on other machines
-
-If a generate is possible, this tool will print out all generate paths from the source domain to the target domain
+This is a helper shell script to compile, install and fix the labeling on your test system. It will also generate a man page based on the installed policy, and compile and build an RPM suitable to be installed on other machines.
 
 .SH "OPTIONS"
 .TP
@@ -97,10 +94,11 @@ Specify alternate name of policy. The policy will default to the executable or n
 .TP
 .I                \-p, \-\-path
 Specify the directory to store the created policy files. (Default to current working directory )
+.TP
 optional arguments:
 .TP
 .I                \-r, \-\-role
-Enter role(s) to which this admin user will transition.
+Enter role(s) to which this admin user will transition
 .TP
 .I                \-t, \-\-type
 Enter type(s) for which you will generate new definition and rule(s)
@@ -109,12 +107,12 @@ Enter type(s) for which you will generate new definition and rule(s)
 SELinux user(s) which will transition to this domain
 .TP
 .I                \-w, \-\-writepath
-Path(s) which the confined processes need to write
+Path(s) which the confined processes need to write to
 .TP
 .I                \-a, \-\-admin
 Domain(s) which the confined admin will administrate
 .TP
-.I  \-\-admin_user 
+.I  \-\-admin_user
 Generate Policy for Administrator Login User Role
 .TP
 .I  \-\-application
@@ -142,7 +140,7 @@ Generate Policy for Internet Services Daemon
 Generate Policy for Standard Init Daemon (Default)
 .TP
 .I  \-\-newtype
-Generate new policy for new types to add to an existing policy.
+Generate new policy for new types to add to an existing policy
 .TP
 .I  \-\-sandbox
 Generate Policy for Sandbox
diff --git a/python/sepolicy/sepolicy-gui.8 b/python/sepolicy/sepolicy-gui.8
index ed744cdb..65b69fab 100644
--- a/python/sepolicy/sepolicy-gui.8
+++ b/python/sepolicy/sepolicy-gui.8
@@ -11,7 +11,7 @@ Common options
 .br
 
 .SH "DESCRIPTION"
-Use \fBsepolicy gui\fP to run a the graphical user interface, which
+Use \fBsepolicy gui\fP to run the graphical user interface, which
 allows you to explore how SELinux confines different process domains.
 
 .SH "OPTIONS"
@@ -20,7 +20,7 @@ allows you to explore how SELinux confines different process domains.
 Display help message
 .TP
 .I                \-d, \-\-domain
-Initialize gui to the selected domain.
+Initialize gui to the selected domain
 
 .SH "AUTHOR"
 This man page was written by Daniel Walsh <dwalsh@redhat.com>
diff --git a/python/sepolicy/sepolicy-interface.8 b/python/sepolicy/sepolicy-interface.8
index 3e74ea62..a70a9306 100644
--- a/python/sepolicy/sepolicy-interface.8
+++ b/python/sepolicy/sepolicy-interface.8
@@ -5,10 +5,10 @@ sepolicy-interface \- Print interface information based on the installed SELinux
 .SH "SYNOPSIS"
 
 .br
-.B sepolicy interface  [\-h] [\-c] [\-v] [\-a | \-u | \-l | \-i INTERFACE [INTERFACE ... ]]
+.B sepolicy interface  [\-h] [\-c] [\-v] [\-f FILE] [\-a | \-u | \-l | \-i INTERFACE [INTERFACE ... ]]
 
 .SH "DESCRIPTION"
-Use sepolicy interface to print interfaces information based on SELinux Policy.
+Use \fBsepolicy interface\fP to print interface information based on SELinux Policy.
 
 .SH "OPTIONS"
 .TP
@@ -18,7 +18,7 @@ List all domains with admin interface
 .I                \-c, \-\-compile
 Test compile of interfaces
 .TP
-.I                \-h, \-\-help       
+.I                \-h, \-\-help
 Display help message
 .TP
 .I                \-i, \-\-interface
@@ -32,6 +32,18 @@ List all domains with SELinux user role interface
 .TP
 .I                \-v, \-\-verbose
 Display extended information about the interface including parameters and description if available.
+.TP
+.I                \-f, \-\-file
+Interface file to be explored
+
+.SH EXAMPLE
+.nf
+Show description of given interface
+# sepolicy interface -vi samba_rw_config
+List interfaces in given interface file and show their description
+# sepolicy interface -f my_policy.if -lv
+Run compile test for all interfaces in given file
+# sepolicy interface -f my_policy.if -lc
 
 .SH "AUTHOR"
 This man page was written by Daniel Walsh <dwalsh@redhat.com>
diff --git a/python/sepolicy/sepolicy-manpage.8 b/python/sepolicy/sepolicy-manpage.8
index c05c9430..4991f645 100644
--- a/python/sepolicy/sepolicy-manpage.8
+++ b/python/sepolicy/sepolicy-manpage.8
@@ -8,27 +8,40 @@ sepolicy-manpage \- Generate a man page based on the installed SELinux Policy
 .B sepolicy manpage [\-w] [\-h] [\-p PATH ] [\-r ROOTDIR ] [\-a | \-d ]
 
 .SH "DESCRIPTION"
-Use sepolicy manpage to generate manpages based on SELinux Policy.
+Use \fBsepolicy manpage\fP to generate manpages based on SELinux Policy.
 
 .SH "OPTIONS"
 .TP
-.I                \-a, \-\-all        
+.I                \-a, \-\-all
 Generate Man Pages for All Domains
 .TP
-.I                \-d, \-\-domain     
+.I                \-d, \-\-domain
 Generate a Man Page for the specified domain. (Supports multiple commands)
 .TP
-.I                \-h, \-\-help       
+.I                \-h, \-\-help
 Display help message
 .TP
+.I                \-o, \-\-os
+Specify the name of the OS to be used in the man page (only affects HTML man pages)
+.TP
 .I                \-p, \-\-path
 Specify the directory to store the created man pages. (Default to /tmp)
 .TP
 .I                \-r, \-\-root
-Specify alternate root directory to generate man pages from. (Default to /)
+Specify alternative root directory to generate man pages from. (Default to /)
+.TP
+.I                \-\-source_files
+Use file_contexts and policy.xml files from the specified root directory (the alternative root needs to include both files)
 .TP
 .I                \-w, \-\-web
-Generate an additional HTML man pages for the specified domain(s).
+Generate an additional HTML man pages for the specified domain(s)
+
+.SH EXAMPLE
+.nf
+Generate man pages for all available domains
+# sepolicy manpage -a
+Generate an HTML man page for domain alsa_t, setting the OS name to "My_distro"
+# sepolicy manpage -o My_distro -d alsa_t -w
 
 .SH "AUTHOR"
 This man page was written by Daniel Walsh <dwalsh@redhat.com>
diff --git a/python/sepolicy/sepolicy-network.8 b/python/sepolicy/sepolicy-network.8
index dcddec75..6faf60ab 100644
--- a/python/sepolicy/sepolicy-network.8
+++ b/python/sepolicy/sepolicy-network.8
@@ -8,27 +8,27 @@ sepolicy-network \- Examine the SELinux Policy and generate a network report
 .B sepolicy network [\-h] (\-l | \-a application [application ...] | \-p PORT [PORT ...] | \-t TYPE [TYPE ...] | \-d DOMAIN [DOMAIN ...])
 
 .SH "DESCRIPTION"
-Use sepolicy network to examine SELinux Policy and generate network reports.
+Use \fBsepolicy network\fP to examine SELinux Policy and generate network reports.
 
 .SH "OPTIONS"
 .TP
 .I                \-a, \-\-application
-Generate a report listing the ports to which the specified init application is allowed to connect and or bind.
+Generate a report listing the ports to which the specified init application is allowed to connect and or bind
 .TP
-.I                \-d, \-\-domain     
-Generate a report listing the ports to which the specified domain is allowed to connect and or bind.
+.I                \-d, \-\-domain
+Generate a report listing the ports to which the specified domain is allowed to connect and or bind
 .TP
-.I                \-l, \-\-list        
+.I                \-l, \-\-list
 List all Network Port Types defined in SELinux Policy
 .TP
-.I                \-h, \-\-help       
+.I                \-h, \-\-help
 Display help message
 .TP
 .I                \-t, \-\-type
-Generate a report listing the port numbers associate with the specified SELinux port type.
+Generate a report listing the port numbers associate with the specified SELinux port type
 .TP
 .I                \-p, \-\-port
-Generate a report listing the SELinux port types associate with the specified port number.
+Generate a report listing the SELinux port types associate with the specified port number
 
 .SH "EXAMPLES"
 
@@ -88,4 +88,3 @@ This man page was written by Daniel Walsh <dwalsh@redhat.com>
 
 .SH "SEE ALSO"
 sepolicy(8), selinux(8), semanage(8)
-
diff --git a/python/sepolicy/sepolicy-transition.8 b/python/sepolicy/sepolicy-transition.8
index 897f0c4c..9f9ff5a5 100644
--- a/python/sepolicy/sepolicy-transition.8
+++ b/python/sepolicy/sepolicy-transition.8
@@ -11,21 +11,28 @@ sepolicy-transition \- Examine the SELinux Policy and generate a process transit
 .B sepolicy transition [\-h] \-s SOURCE \-t TARGET
 
 .SH "DESCRIPTION"
-sepolicy transition will show all domains that a give SELinux source domain can transition to, including the entrypoint.
+\fBsepolicy transition\fP will show all domains that a given SELinux source domain can transition to, including the entrypoint.
 
-If a target domain is given, sepolicy transition will examine policy for all transition paths from the source domain to the target domain, and will list the 
-paths.  If a transition is possible, this tool will print out all transition paths from the source domain to the target domain
+If a target domain is given, sepolicy transition will examine policy for all transition paths from the source domain to the target domain, and will list the
+paths.
 
 .SH "OPTIONS"
 .TP
-.I                \-h, \-\-help       
+.I                \-h, \-\-help
 Display help message
 .TP
 .I                \-s, \-\-source
-Specify the source SELinux domain type.
+Specify the source SELinux domain type
 .TP
 .I                \-t, \-\-target
-Specify the target SELinux domain type.
+Specify the target SELinux domain type
+
+.SH EXAMPLE
+.nf
+List all domain transition paths from init_t to httpd_t
+# sepolicy transition -s init_t -t httpd_t
+List all transitions available from samba domain, including entry points and booleans controlling each transition
+# sepolicy transition -s smbd_t
 
 .SH "AUTHOR"
 This man page was written by Daniel Walsh <dwalsh@redhat.com>
-- 
2.40.0

[PATCH v2 3/5] sandbox: Add examples to man pages

[Vit Mojzis]

While at it, remove trailing whitespaces.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 sandbox/sandbox.8   | 28 ++++++++++++++++++----------
 sandbox/seunshare.8 | 21 ++++++++++++++-------
 2 files changed, 32 insertions(+), 17 deletions(-)

diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8
index 1ee0ecea..095b9e27 100644
--- a/sandbox/sandbox.8
+++ b/sandbox/sandbox.8
@@ -11,12 +11,12 @@ sandbox \- Run cmd under an SELinux sandbox
 .br
 .SH DESCRIPTION
 .PP
-Run the 
-.I cmd 
+Run the
+.I cmd
 application within a tightly confined SELinux domain.  The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed to open any other files.  The \-M option will mount an alternate homedir and tmpdir to be used by the sandbox.
 
-If you have the 
-.I policycoreutils-sandbox 
+If you have the
+.I policycoreutils-sandbox
 package installed, you can use the \-X option and the \-M option.
 .B sandbox \-X
 allows you to run X applications within a sandbox.  These applications will start up their own X Server and create a temporary home directory and /tmp.  The default SELinux policy does not allow any capabilities or network access.  It also prevents all access to the users other processes and files.  Files specified on the command that are in the home directory or /tmp will be copied into the sandbox directories.
@@ -78,27 +78,35 @@ Run a full desktop session, Requires level, and home and tmpdir.
 Specifies the windowsize when creating an X based Sandbox. The default windowsize is 1000x700.
 .TP
 \fB\-W\fR \fB\-\-windowmanager\fR
-Select alternative window manager to run within 
+Select alternative window manager to run within
 .B sandbox \-X.
 Default to /usr/bin/openbox.
 .TP
-\fB\-X\fR 
+\fB\-X\fR
 Create an X based Sandbox for gui apps, temporary files for
 $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
 .TP
 \fB\-d\fR \fB\-\-dpi\fR
 Set the DPI value for the sandbox X Server. Defaults to the current X Sever DPI.
 .TP
-\fB\-C\fR \fB\-\-capabilities\fR Use capabilities within the
-sandbox. By default applications executed within the sandbox will not
-be allowed to use capabilities (setuid apps), with the \-C flag, you
-can use programs requiring capabilities.
+\fB\-C\fR \fB\-\-capabilities\fR
+Use capabilities within the sandbox. By default applications executed within the sandbox will not be allowed to use capabilities (setuid apps), with the \-C flag, you can use programs requiring capabilities.
 .PP
 .SH "SEE ALSO"
 .TP
 runcon(1), seunshare(8), selinux(8)
 .PP
 
+.SH EXAMPLE
+.nf
+Run a graphical application inside the sandbox
+# sandbox -X evince
+Run a graphical application that requires the use of network
+# sandbox ‑X ‑t sandbox_web_t firefox
+Preserve data from one session to the next
+# mkdir -p ~/sandbox/home ~/sandbox/tmp
+# sandbox -H ~/sandbox/home -T ~/sandbox/tmp -X libreoffice --writer
+
 .SH AUTHOR
 This manual page was written by
 .I Dan Walsh <dwalsh@redhat.com>
diff --git a/sandbox/seunshare.8 b/sandbox/seunshare.8
index 09cf7fea..5339a3b1 100644
--- a/sandbox/seunshare.8
+++ b/sandbox/seunshare.8
@@ -9,29 +9,36 @@ seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context
 .PP
 Run the
 .I executable
-within the specified context, using the alternate home directory and /tmp directory.  The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context.
+within the specified context, using custom home directory and /tmp directory. The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context.
 
 .TP
 \fB\-h homedir\fR
-Alternate homedir to be used by the application.  Homedir must be owned by the user.
+Alternate homedir to be used by the application. Homedir must be owned by the user
 .TP
 \fB\-t\ tmpdir
-Use alternate temporary directory to mount on /tmp.  tmpdir must be owned by the user.
+Use alternate temporary directory to mount on /tmp. tmpdir must be owned by the user
 .TP
 \fB\-r\ runuserdir
-Use alternate temporary directory to mount on XDG_RUNTIME_DIR (/run/user/$UID). runuserdir must be owned by the user.
+Use alternate temporary directory to mount on XDG_RUNTIME_DIR (/run/user/$UID). runuserdir must be owned by the user
 .TP
 \fB\-C --capabilities\fR
-Allow apps executed within the namespace to use capabilities.  Default is no capabilities.
+Allow apps executed within the namespace to use capabilities. Default is no capabilities
 .TP
 \fB\-k --kill\fR
-Kill all processes with matching MCS level.
+Kill all processes with matching MCS level
 .TP
 \fB\-Z\ context
-Use alternate SELinux context while running the executable.
+Use alternate SELinux context while running the executable
 .TP
 \fB\-v\fR
 Verbose output
+
+.SH EXAMPLE
+.nf
+Run bash with temporary /home and /tmp directory
+# USERHOMEDIR=`mktemp -d /tmp/home.XXXXXX`; USERTEMPDIR=`mktemp -d /tmp/temp.XXXXXX`
+# seunshare -v -h ${USERHOMEDIR} -t ${USERTEMPDIR} -- /bin/bash
+
 .SH "SEE ALSO"
 .TP
 runcon(1), sandbox(8), selinux(8)
-- 
2.40.0

[PATCH v2 4/5] checkpolicy: Add examples to man pages

[Vit Mojzis]

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 checkpolicy/checkpolicy.8 | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8
index 2984c238..7843569b 100644
--- a/checkpolicy/checkpolicy.8
+++ b/checkpolicy/checkpolicy.8
@@ -12,8 +12,8 @@ command.
 .PP
 .B checkpolicy
 is a program that checks and compiles a SELinux security policy configuration
-into a binary representation that can be loaded into the kernel.  If no 
-input file name is specified,
+into a binary representation that can be loaded into the kernel.
+If no input file name is specified,
 .B checkpolicy
 will attempt to read from policy.conf or policy, depending on whether the \-b
 flag is specified.
@@ -64,6 +64,17 @@ Show version information.
 .B \-h,\-\-help
 Show usage information.
 
+.SH EXAMPLE
+.nf
+Generate policy.conf based on the system policy
+# checkpolicy -b -M -F /etc/selinux/targeted/policy/policy.33 -o policy.conf
+Recompile system policy so that unknown permissions are denied (uses policy.conf from ^^).
+Note that binary policy extension represents its version, which is subject to change
+# checkpolicy -M -U deny -o /etc/selinux/targeted/policy/policy.33 policy.conf
+# load_policy
+Generate CIL representation of current system policy
+# checkpolicy -b -M -C /etc/selinux/targeted/policy/policy.33 -o policy.out
+
 .SH "SEE ALSO"
 SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki
 
-- 
2.40.0

[PATCH v2 5/5] libselinux: Add examples to man pages

[Vit Mojzis]

Also fix some typos and remove trailing whitespaces.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 libselinux/man/man8/getsebool.8    | 18 +++++++++++-------
 libselinux/man/man8/matchpathcon.8 | 19 +++++++++++++------
 2 files changed, 24 insertions(+), 13 deletions(-)

diff --git a/libselinux/man/man8/getsebool.8 b/libselinux/man/man8/getsebool.8
index d70bf1e4..9e36f04f 100644
--- a/libselinux/man/man8/getsebool.8
+++ b/libselinux/man/man8/getsebool.8
@@ -1,6 +1,6 @@
 .TH "getsebool" "8" "11 Aug 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
 .SH "NAME"
-getsebool \- get SELinux boolean value(s) 
+getsebool \- get SELinux boolean value(s)
 .
 .SH "SYNOPSIS"
 .B getsebool
@@ -8,17 +8,16 @@ getsebool \- get SELinux boolean value(s)
 .RI [ boolean ]
 .
 .SH "DESCRIPTION"
-.B getsebool 
-reports where a particular SELinux boolean or
-all SELinux booleans are on or off
-In certain situations a boolean can be in one state with a pending 
-change to the other state.  getsebool will report this as a pending change.
+.B getsebool
+reports whether a particular SELinux boolean, or all SELinux booleans, are on or off.
+In certain situations a boolean can be in one state with a pending
+change to the other state. getsebool will report this as a pending change.
 The pending value indicates
 the value that will be applied upon the next boolean commit.
 
 The setting of boolean values occurs in two stages; first the pending
 value is changed, then the booleans are committed, causing their
-active values to become their pending values.  This allows a group of
+active values to become their pending values. This allows a group of
 booleans to be changed in a single transaction, by setting all of
 their pending values as desired and then committing once.
 .
@@ -27,6 +26,11 @@ their pending values as desired and then committing once.
 .B \-a
 Show all SELinux booleans.
 .
+.SH EXAMPLE
+.nf
+Show current state of httpd_can_connect_ftp
+# getsebool httpd_can_connect_ftp
+.
 .SH AUTHOR
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
 The program was written by Tresys Technology.
diff --git a/libselinux/man/man8/matchpathcon.8 b/libselinux/man/man8/matchpathcon.8
index 50c0d392..6d848f43 100644
--- a/libselinux/man/man8/matchpathcon.8
+++ b/libselinux/man/man8/matchpathcon.8
@@ -25,8 +25,8 @@ queries the system policy and outputs the default security context associated wi
 Identical paths can have different security contexts, depending on the file
 type (regular file, directory, link file, char file ...).
 
-.B matchpathcon 
-will also take the file type into consideration in determining the default security context if the file exists.  If the file does not exist, no file type matching will occur.
+.B matchpathcon
+will also take the file type into consideration in determining the default security context if the file exists. If the file does not exist, no file type matching will occur.
 .
 .SH OPTIONS
 .TP
@@ -34,19 +34,19 @@ will also take the file type into consideration in determining the default secur
 Force file type for the lookup.
 Valid types are
 .BR file ", " dir ", "pipe ", " chr_file ", " blk_file ", "
-.BR lnk_file ", " sock_file .
+.BR lnk_file ", " sock_file
 .TP
 .B \-n
-Do not display path.
+Do not display path
 .TP
 .B \-N
-Do not use translations.
+Do not use translations
 .TP
 .BI \-f " file_context_file"
 Use alternate file_context file
 .TP
 .BI \-p " prefix"
-Use prefix to speed translations
+Use prefix to speed up translations
 .TP
 .BI \-P " policy_root_path"
 Use alternate policy root path
@@ -54,6 +54,13 @@ Use alternate policy root path
 .B \-V
 Verify file context on disk matches defaults
 .
+.SH EXAMPLE
+.nf
+Show the default label of sock_file cups.sock
+# matchpathcon -m sock_file /var/run/cups/cups.sock
+Verify that /var/www/html directory is labeled correctly (the content of the folder is not checked)
+# matchpathcon -V /var/www/html
+.
 .SH AUTHOR
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
 .
-- 
2.40.0

Re: [PATCH v2 1/5] policycoreutils: Add examples to man pages

[Petr Lautrbach]

Vit Mojzis <vmojzis@redhat.com> writes:

> While at it, remove trailing whitespaces.
>
> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
>

For these five patches:
Acked-by: Petr Lautrbach <lautrbach@redhat.com>



> ---
>  policycoreutils/scripts/fixfiles.8          | 34 +++++++++++++--------
>  policycoreutils/secon/secon.1               | 12 ++++++--
>  policycoreutils/semodule/semodule.8         | 14 ++++-----
>  policycoreutils/setfiles/restorecon.8       |  9 ++++++
>  policycoreutils/setfiles/restorecon_xattr.8 |  7 +++++
>  policycoreutils/setfiles/setfiles.8         |  9 ++++++
>  policycoreutils/setsebool/setsebool.8       | 16 +++++++---
>  7 files changed, 74 insertions(+), 27 deletions(-)
>
> diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
> index 9a317d91..928b8200 100644
> --- a/policycoreutils/scripts/fixfiles.8
> +++ b/policycoreutils/scripts/fixfiles.8
> @@ -14,7 +14,7 @@ fixfiles \- fix file SELinux security contexts.
>  .B fixfiles
>  .I [\-v] [\-F] [\-B | \-N time ] [\-T nthreads] { check | restore | verify }
>  
> -.B fixfiles 
> +.B fixfiles
>  .I [\-v] [\-F] [\-T nthreads] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify }
>  
>  .B fixfiles
> @@ -31,7 +31,7 @@ This manual page describes the
>  script.
>  .P
>  This script is primarily used to correct the security context
> -database (extended attributes) on filesystems.  
> +database (extended attributes) on filesystems.
>  .P
>  It can also be run at any time to relabel when adding support for
>  new policy, or  just check whether the file contexts are all
> @@ -41,29 +41,29 @@ option.  You can use the \-R flag to use rpmpackages as an alternative.
>  The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
>  excluded from relabeling.
>  .P
> -.B fixfiles onboot 
> +.B fixfiles onboot
>  will setup the machine to relabel on the next reboot.
>  
>  .SH "OPTIONS"
> -.TP 
> +.TP
>  .B \-B
>  If specified with onboot, this fixfiles will record the current date in the /.autorelabel file, so that it can be used later to speed up labeling. If used with restore, the restore will only affect files that were modified today.
>  .TP
>  .B \-F
>  Force reset of context to match file_context for customizable files
>  
> -.TP 
> +.TP
>  .B \-f
>  Clear /tmp directory with out prompt for removal.
>  
> -.TP 
> +.TP
>  .B \-R rpmpackagename[,rpmpackagename...]
>  Use the rpm database to discover all files within the specified packages and restore the file contexts.
>  .TP
>  .B \-C PREVIOUS_FILECONTEXT
>  Run a diff on  the PREVIOUS_FILECONTEXT file to the currently installed one, and restore the context of all affected files.
>  
> -.TP 
> +.TP
>  .B \-N time
>  Only act on files created after the specified date.  Date must be specified in
>  "YYYY\-MM\-DD HH:MM" format.  Date field will be passed to find \-\-newermt command.
> @@ -83,19 +83,28 @@ Use parallel relabeling, see
>  
>  .SH "ARGUMENTS"
>  One of:
> -.TP 
> +.TP
>  .B check | verify
>  print any incorrect file context labels, showing old and new context, but do not change them.
> -.TP 
> +.TP
>  .B restore
>  change any incorrect file context labels.
> -.TP 
> +.TP
>  .B relabel
>  Prompt for removal of contents of /tmp directory and then change any incorrect file context labels to match the install file_contexts file.
> -.TP 
> -.B [[dir/file] ... ] 
> +.TP
> +.B [[dir/file] ... ]
>  List of files or directories trees that you wish to check file context on.
>  
> +.SH EXAMPLE
> +.nf
> +Relabel the whole filesystem, except paths listed in /etc/selinux/fixfiles_exclude_dirs
> +# fixfiles relabel
> +Schedule the machine to relabel on the next boot and force relabeling of customizable types
> +# fixfiles -F onboot
> +Check labeling of all files from the samba package (while not changing any labels)
> +# fixfiles -R samba check
> +
>  .SH "AUTHOR"
>  This man page was written by Richard Hally <rhally@mindspring.com>.
>  The script  was written by Dan Walsh <dwalsh@redhat.com>
> @@ -103,4 +112,3 @@ The script  was written by Dan Walsh <dwalsh@redhat.com>
>  .SH "SEE ALSO"
>  .BR setfiles (8),
>  .BR restorecon (8)
> -
> diff --git a/policycoreutils/secon/secon.1 b/policycoreutils/secon/secon.1
> index 501b5cb8..c0e8b05a 100644
> --- a/policycoreutils/secon/secon.1
> +++ b/policycoreutils/secon/secon.1
> @@ -107,16 +107,24 @@ then the context will be read from stdin.
>  .br
>  If there is no argument,
>  .B secon
> -will try reading a context from stdin, if that is not a tty, otherwise 
> +will try reading a context from stdin, if that is not a tty, otherwise
>  .B secon
>  will act as though \fB\-\-self\fR had been passed.
>  .PP
>  If none of \fB\-\-user\fR, \fB\-\-role\fR, \fB\-\-type\fR, \fB\-\-level\fR or
>  \fB\-\-mls\-range\fR is passed.
>  Then all of them will be output.
> +
> +.SH EXAMPLE
> +.nf
> +Show SElinux context of the init process
> +# secon --pid 1
> +Parse the type portion of given security context
> +# secon -t system_u:object_r:httpd_sys_rw_content_t:s0
> +
>  .PP
>  .SH SEE ALSO
>  .BR chcon (1)
>  .SH AUTHORS
>  .nf
> -James Antill (james.antill@redhat.com) 
> +James Antill (james.antill@redhat.com)
> diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
> index c56e580f..01757b00 100644
> --- a/policycoreutils/semodule/semodule.8
> +++ b/policycoreutils/semodule/semodule.8
> @@ -1,5 +1,5 @@
>  .TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA
> -.SH NAME 
> +.SH NAME
>  semodule \- Manage SELinux policy modules.
>  
>  .SH SYNOPSIS
> @@ -8,7 +8,7 @@ semodule \- Manage SELinux policy modules.
>  .SH DESCRIPTION
>  .PP
>  semodule is the tool used to manage SELinux policy modules,
> -including installing, upgrading, listing and removing modules.  
> +including installing, upgrading, listing and removing modules.
>  semodule may also be used to force a rebuild of policy from the
>  module store and/or to force a reload of policy without performing
>  any other transaction.  semodule acts on module packages created
> @@ -39,7 +39,7 @@ install/replace a module package
>  .B  \-u,\-\-upgrade=MODULE_PKG
>  deprecated, alias for --install
>  .TP
> -.B  \-b,\-\-base=MODULE_PKG   
> +.B  \-b,\-\-base=MODULE_PKG
>  deprecated, alias for --install
>  .TP
>  .B  \-r,\-\-remove=MODULE_NAME
> @@ -77,7 +77,7 @@ name of the store to operate on
>  .B  \-n,\-\-noreload,\-N
>  do not reload policy after commit
>  .TP
> -.B  \-h,\-\-help        
> +.B  \-h,\-\-help
>  prints help message and quit
>  .TP
>  .B \-P,\-\-preserve_tunables
> @@ -92,7 +92,7 @@ Use an alternate path for the policy root
>  .B \-S,\-\-store-path
>  Use an alternate path for the policy store root
>  .TP
> -.B  \-v,\-\-verbose     
> +.B  \-v,\-\-verbose
>  be verbose
>  .TP
>  .B  \-c,\-\-cil
> @@ -131,8 +131,6 @@ $ semodule \-B
>  $ semodule \-d alsa
>  # Install a module at a specific priority.
>  $ semodule \-X 100 \-i alsa.pp
> -# List all modules.
> -$ semodule \-\-list=full
>  # Set an alternate path for the policy root
>  $ semodule \-B \-p "/tmp"
>  # Set an alternate path for the policy store root
> @@ -143,6 +141,8 @@ $ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
>  # Check whether a module in "localmodule.pp" file is same as installed module "localmodule"
>  $ /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
>  $ semodule -l -m | grep localmodule
> +# Translate binary module file into CIL (useful for debugging installation errors)
> +$ /usr/libexec/selinux/hll/pp alsa.pp > alsa.cil
>  .fi
>  
>  .SH SEE ALSO
> diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
> index e07db2c8..c3cc5c9b 100644
> --- a/policycoreutils/setfiles/restorecon.8
> +++ b/policycoreutils/setfiles/restorecon.8
> @@ -224,6 +224,15 @@ and provided the
>  option is NOT set and recursive mode is set, files will be relabeled as
>  required with the digests then being updated provided there are no errors.
>  
> +.SH EXAMPLE
> +.nf
> +Fix labeling of /var/www/ including all sub-directories and list all context changes
> +# restorecon -rv /var/www/
> +List mislabeled files in user home directory and what the correct label should be
> +# restorecon -nvr ~
> +Fix labeling of files listed in file_list file, ignoring any that do not exist
> +# restorecon -vif file_list
> +
>  .SH "AUTHOR"
>  This man page was written by Dan Walsh <dwalsh@redhat.com>.
>  Some of the content of this man page was taken from the setfiles
> diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8
> index e04528e6..51d12a4d 100644
> --- a/policycoreutils/setfiles/restorecon_xattr.8
> +++ b/policycoreutils/setfiles/restorecon_xattr.8
> @@ -112,6 +112,13 @@ If the option is not specified, then the default file_contexts will be used.
>  .br
>  the pathname of the directory tree to be searched.
>  
> +.SH EXAMPLE
> +.nf
> +List all paths that where assigned a checksum by "restorecon/setfiles -D"
> +# restorecon_xattr -r /
> +Remove all non-matching checksums
> +# restorecon_xattr -rd /
> +
>  .SH "SEE ALSO"
>  .BR restorecon (8),
>  .BR setfiles (8)
> diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
> index bf26e161..892a5062 100644
> --- a/policycoreutils/setfiles/setfiles.8
> +++ b/policycoreutils/setfiles/setfiles.8
> @@ -289,6 +289,15 @@ and provided the
>  option is NOT set, files will be relabeled as required with the digests then
>  being updated provided there are no errors.
>  
> +.SH EXAMPLE
> +.nf
> +Fix labeling of /var/www/ including all sub-directories, using targeted policy file context definitions and list all context changes
> +# setfiles -v /etc/selinux/targeted/contexts/files/file_contexts /var/www/
> +List mislabeled files in user home directory and what the label should be based on targeted policy file context definitions
> +# setfiles -nv /etc/selinux/targeted/contexts/files/file_contexts ~
> +Fix labeling of files listed in file_list file, ignoring any that do not exist
> +# setfiles -vif file_list /etc/selinux/targeted/contexts/files/file_contexts
> +
>  .SH "AUTHOR"
>  This man page was written by Russell Coker <russell@coker.com.au>.
>  The program was written by Stephen Smalley <sds@tycho.nsa.gov>
> diff --git a/policycoreutils/setsebool/setsebool.8 b/policycoreutils/setsebool/setsebool.8
> index 52936f5a..f54664fb 100644
> --- a/policycoreutils/setsebool/setsebool.8
> +++ b/policycoreutils/setsebool/setsebool.8
> @@ -7,13 +7,13 @@ setsebool \- set SELinux boolean value
>  .I "[ \-PNV ] boolean value | bool1=val1 bool2=val2 ..."
>  
>  .SH "DESCRIPTION"
> -.B setsebool 
> -sets the current state of a particular SELinux boolean or a list of booleans 
> -to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it. 
> +.B setsebool
> +sets the current state of a particular SELinux boolean or a list of booleans
> +to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it.
>  
>  Without the \-P option, only the current boolean value is
> -affected; the boot-time default settings 
> -are not changed. 
> +affected; the boot-time default settings
> +are not changed.
>  
>  If the \-P option is given, all pending values are written to
>  the policy file on disk. So they will be persistent across reboots.
> @@ -22,6 +22,12 @@ If the \-N option is given, the policy on disk is not reloaded into the kernel.
>  
>  If the \-V option is given, verbose error messages will be printed from semanage libraries.
>  
> +.SH EXAMPLE
> +.nf
> +Enable container_use_devices boolean (will return to persistent value after reboot)
> +# setsebool container_use_devices 1
> +Persistently enable samba_create_home_dirs and samba_enable_home_dirs booleans
> +# setsebool -P samba_create_home_dirs=on samba_enable_home_dirs=on
>  
>  .SH AUTHOR
>  This manual page was written by Dan Walsh <dwalsh@redhat.com>.
> -- 
> 2.40.0

Re: [PATCH v2 1/5] policycoreutils: Add examples to man pages

[James Carter]

On Tue, Jun 6, 2023 at 4:19 AM Petr Lautrbach <plautrba@redhat.com> wrote:
>
> Vit Mojzis <vmojzis@redhat.com> writes:
>
> > While at it, remove trailing whitespaces.
> >
> > Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
> >
>
> For these five patches:
> Acked-by: Petr Lautrbach <lautrbach@redhat.com>
>
>
These five patches have been merged.
Thanks,
Jim

>
> > ---
> >  policycoreutils/scripts/fixfiles.8          | 34 +++++++++++++--------
> >  policycoreutils/secon/secon.1               | 12 ++++++--
> >  policycoreutils/semodule/semodule.8         | 14 ++++-----
> >  policycoreutils/setfiles/restorecon.8       |  9 ++++++
> >  policycoreutils/setfiles/restorecon_xattr.8 |  7 +++++
> >  policycoreutils/setfiles/setfiles.8         |  9 ++++++
> >  policycoreutils/setsebool/setsebool.8       | 16 +++++++---
> >  7 files changed, 74 insertions(+), 27 deletions(-)
> >
> > diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
> > index 9a317d91..928b8200 100644
> > --- a/policycoreutils/scripts/fixfiles.8
> > +++ b/policycoreutils/scripts/fixfiles.8
> > @@ -14,7 +14,7 @@ fixfiles \- fix file SELinux security contexts.
> >  .B fixfiles
> >  .I [\-v] [\-F] [\-B | \-N time ] [\-T nthreads] { check | restore | verify }
> >
> > -.B fixfiles
> > +.B fixfiles
> >  .I [\-v] [\-F] [\-T nthreads] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify }
> >
> >  .B fixfiles
> > @@ -31,7 +31,7 @@ This manual page describes the
> >  script.
> >  .P
> >  This script is primarily used to correct the security context
> > -database (extended attributes) on filesystems.
> > +database (extended attributes) on filesystems.
> >  .P
> >  It can also be run at any time to relabel when adding support for
> >  new policy, or  just check whether the file contexts are all
> > @@ -41,29 +41,29 @@ option.  You can use the \-R flag to use rpmpackages as an alternative.
> >  The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
> >  excluded from relabeling.
> >  .P
> > -.B fixfiles onboot
> > +.B fixfiles onboot
> >  will setup the machine to relabel on the next reboot.
> >
> >  .SH "OPTIONS"
> > -.TP
> > +.TP
> >  .B \-B
> >  If specified with onboot, this fixfiles will record the current date in the /.autorelabel file, so that it can be used later to speed up labeling. If used with restore, the restore will only affect files that were modified today.
> >  .TP
> >  .B \-F
> >  Force reset of context to match file_context for customizable files
> >
> > -.TP
> > +.TP
> >  .B \-f
> >  Clear /tmp directory with out prompt for removal.
> >
> > -.TP
> > +.TP
> >  .B \-R rpmpackagename[,rpmpackagename...]
> >  Use the rpm database to discover all files within the specified packages and restore the file contexts.
> >  .TP
> >  .B \-C PREVIOUS_FILECONTEXT
> >  Run a diff on  the PREVIOUS_FILECONTEXT file to the currently installed one, and restore the context of all affected files.
> >
> > -.TP
> > +.TP
> >  .B \-N time
> >  Only act on files created after the specified date.  Date must be specified in
> >  "YYYY\-MM\-DD HH:MM" format.  Date field will be passed to find \-\-newermt command.
> > @@ -83,19 +83,28 @@ Use parallel relabeling, see
> >
> >  .SH "ARGUMENTS"
> >  One of:
> > -.TP
> > +.TP
> >  .B check | verify
> >  print any incorrect file context labels, showing old and new context, but do not change them.
> > -.TP
> > +.TP
> >  .B restore
> >  change any incorrect file context labels.
> > -.TP
> > +.TP
> >  .B relabel
> >  Prompt for removal of contents of /tmp directory and then change any incorrect file context labels to match the install file_contexts file.
> > -.TP
> > -.B [[dir/file] ... ]
> > +.TP
> > +.B [[dir/file] ... ]
> >  List of files or directories trees that you wish to check file context on.
> >
> > +.SH EXAMPLE
> > +.nf
> > +Relabel the whole filesystem, except paths listed in /etc/selinux/fixfiles_exclude_dirs
> > +# fixfiles relabel
> > +Schedule the machine to relabel on the next boot and force relabeling of customizable types
> > +# fixfiles -F onboot
> > +Check labeling of all files from the samba package (while not changing any labels)
> > +# fixfiles -R samba check
> > +
> >  .SH "AUTHOR"
> >  This man page was written by Richard Hally <rhally@mindspring.com>.
> >  The script  was written by Dan Walsh <dwalsh@redhat.com>
> > @@ -103,4 +112,3 @@ The script  was written by Dan Walsh <dwalsh@redhat.com>
> >  .SH "SEE ALSO"
> >  .BR setfiles (8),
> >  .BR restorecon (8)
> > -
> > diff --git a/policycoreutils/secon/secon.1 b/policycoreutils/secon/secon.1
> > index 501b5cb8..c0e8b05a 100644
> > --- a/policycoreutils/secon/secon.1
> > +++ b/policycoreutils/secon/secon.1
> > @@ -107,16 +107,24 @@ then the context will be read from stdin.
> >  .br
> >  If there is no argument,
> >  .B secon
> > -will try reading a context from stdin, if that is not a tty, otherwise
> > +will try reading a context from stdin, if that is not a tty, otherwise
> >  .B secon
> >  will act as though \fB\-\-self\fR had been passed.
> >  .PP
> >  If none of \fB\-\-user\fR, \fB\-\-role\fR, \fB\-\-type\fR, \fB\-\-level\fR or
> >  \fB\-\-mls\-range\fR is passed.
> >  Then all of them will be output.
> > +
> > +.SH EXAMPLE
> > +.nf
> > +Show SElinux context of the init process
> > +# secon --pid 1
> > +Parse the type portion of given security context
> > +# secon -t system_u:object_r:httpd_sys_rw_content_t:s0
> > +
> >  .PP
> >  .SH SEE ALSO
> >  .BR chcon (1)
> >  .SH AUTHORS
> >  .nf
> > -James Antill (james.antill@redhat.com)
> > +James Antill (james.antill@redhat.com)
> > diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
> > index c56e580f..01757b00 100644
> > --- a/policycoreutils/semodule/semodule.8
> > +++ b/policycoreutils/semodule/semodule.8
> > @@ -1,5 +1,5 @@
> >  .TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA
> > -.SH NAME
> > +.SH NAME
> >  semodule \- Manage SELinux policy modules.
> >
> >  .SH SYNOPSIS
> > @@ -8,7 +8,7 @@ semodule \- Manage SELinux policy modules.
> >  .SH DESCRIPTION
> >  .PP
> >  semodule is the tool used to manage SELinux policy modules,
> > -including installing, upgrading, listing and removing modules.
> > +including installing, upgrading, listing and removing modules.
> >  semodule may also be used to force a rebuild of policy from the
> >  module store and/or to force a reload of policy without performing
> >  any other transaction.  semodule acts on module packages created
> > @@ -39,7 +39,7 @@ install/replace a module package
> >  .B  \-u,\-\-upgrade=MODULE_PKG
> >  deprecated, alias for --install
> >  .TP
> > -.B  \-b,\-\-base=MODULE_PKG
> > +.B  \-b,\-\-base=MODULE_PKG
> >  deprecated, alias for --install
> >  .TP
> >  .B  \-r,\-\-remove=MODULE_NAME
> > @@ -77,7 +77,7 @@ name of the store to operate on
> >  .B  \-n,\-\-noreload,\-N
> >  do not reload policy after commit
> >  .TP
> > -.B  \-h,\-\-help
> > +.B  \-h,\-\-help
> >  prints help message and quit
> >  .TP
> >  .B \-P,\-\-preserve_tunables
> > @@ -92,7 +92,7 @@ Use an alternate path for the policy root
> >  .B \-S,\-\-store-path
> >  Use an alternate path for the policy store root
> >  .TP
> > -.B  \-v,\-\-verbose
> > +.B  \-v,\-\-verbose
> >  be verbose
> >  .TP
> >  .B  \-c,\-\-cil
> > @@ -131,8 +131,6 @@ $ semodule \-B
> >  $ semodule \-d alsa
> >  # Install a module at a specific priority.
> >  $ semodule \-X 100 \-i alsa.pp
> > -# List all modules.
> > -$ semodule \-\-list=full
> >  # Set an alternate path for the policy root
> >  $ semodule \-B \-p "/tmp"
> >  # Set an alternate path for the policy store root
> > @@ -143,6 +141,8 @@ $ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
> >  # Check whether a module in "localmodule.pp" file is same as installed module "localmodule"
> >  $ /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
> >  $ semodule -l -m | grep localmodule
> > +# Translate binary module file into CIL (useful for debugging installation errors)
> > +$ /usr/libexec/selinux/hll/pp alsa.pp > alsa.cil
> >  .fi
> >
> >  .SH SEE ALSO
> > diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
> > index e07db2c8..c3cc5c9b 100644
> > --- a/policycoreutils/setfiles/restorecon.8
> > +++ b/policycoreutils/setfiles/restorecon.8
> > @@ -224,6 +224,15 @@ and provided the
> >  option is NOT set and recursive mode is set, files will be relabeled as
> >  required with the digests then being updated provided there are no errors.
> >
> > +.SH EXAMPLE
> > +.nf
> > +Fix labeling of /var/www/ including all sub-directories and list all context changes
> > +# restorecon -rv /var/www/
> > +List mislabeled files in user home directory and what the correct label should be
> > +# restorecon -nvr ~
> > +Fix labeling of files listed in file_list file, ignoring any that do not exist
> > +# restorecon -vif file_list
> > +
> >  .SH "AUTHOR"
> >  This man page was written by Dan Walsh <dwalsh@redhat.com>.
> >  Some of the content of this man page was taken from the setfiles
> > diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8
> > index e04528e6..51d12a4d 100644
> > --- a/policycoreutils/setfiles/restorecon_xattr.8
> > +++ b/policycoreutils/setfiles/restorecon_xattr.8
> > @@ -112,6 +112,13 @@ If the option is not specified, then the default file_contexts will be used.
> >  .br
> >  the pathname of the directory tree to be searched.
> >
> > +.SH EXAMPLE
> > +.nf
> > +List all paths that where assigned a checksum by "restorecon/setfiles -D"
> > +# restorecon_xattr -r /
> > +Remove all non-matching checksums
> > +# restorecon_xattr -rd /
> > +
> >  .SH "SEE ALSO"
> >  .BR restorecon (8),
> >  .BR setfiles (8)
> > diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
> > index bf26e161..892a5062 100644
> > --- a/policycoreutils/setfiles/setfiles.8
> > +++ b/policycoreutils/setfiles/setfiles.8
> > @@ -289,6 +289,15 @@ and provided the
> >  option is NOT set, files will be relabeled as required with the digests then
> >  being updated provided there are no errors.
> >
> > +.SH EXAMPLE
> > +.nf
> > +Fix labeling of /var/www/ including all sub-directories, using targeted policy file context definitions and list all context changes
> > +# setfiles -v /etc/selinux/targeted/contexts/files/file_contexts /var/www/
> > +List mislabeled files in user home directory and what the label should be based on targeted policy file context definitions
> > +# setfiles -nv /etc/selinux/targeted/contexts/files/file_contexts ~
> > +Fix labeling of files listed in file_list file, ignoring any that do not exist
> > +# setfiles -vif file_list /etc/selinux/targeted/contexts/files/file_contexts
> > +
> >  .SH "AUTHOR"
> >  This man page was written by Russell Coker <russell@coker.com.au>.
> >  The program was written by Stephen Smalley <sds@tycho.nsa.gov>
> > diff --git a/policycoreutils/setsebool/setsebool.8 b/policycoreutils/setsebool/setsebool.8
> > index 52936f5a..f54664fb 100644
> > --- a/policycoreutils/setsebool/setsebool.8
> > +++ b/policycoreutils/setsebool/setsebool.8
> > @@ -7,13 +7,13 @@ setsebool \- set SELinux boolean value
> >  .I "[ \-PNV ] boolean value | bool1=val1 bool2=val2 ..."
> >
> >  .SH "DESCRIPTION"
> > -.B setsebool
> > -sets the current state of a particular SELinux boolean or a list of booleans
> > -to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it.
> > +.B setsebool
> > +sets the current state of a particular SELinux boolean or a list of booleans
> > +to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it.
> >
> >  Without the \-P option, only the current boolean value is
> > -affected; the boot-time default settings
> > -are not changed.
> > +affected; the boot-time default settings
> > +are not changed.
> >
> >  If the \-P option is given, all pending values are written to
> >  the policy file on disk. So they will be persistent across reboots.
> > @@ -22,6 +22,12 @@ If the \-N option is given, the policy on disk is not reloaded into the kernel.
> >
> >  If the \-V option is given, verbose error messages will be printed from semanage libraries.
> >
> > +.SH EXAMPLE
> > +.nf
> > +Enable container_use_devices boolean (will return to persistent value after reboot)
> > +# setsebool container_use_devices 1
> > +Persistently enable samba_create_home_dirs and samba_enable_home_dirs booleans
> > +# setsebool -P samba_create_home_dirs=on samba_enable_home_dirs=on
> >
> >  .SH AUTHOR
> >  This manual page was written by Dan Walsh <dwalsh@redhat.com>.
> > --
> > 2.40.0
>