diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index f762874..c6f87ae 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -248999,7 +248999,7 @@ index 6c30734..f6b4b9a 100644 will try reading a context from stdin, if that is not a tty, otherwise .B secon diff --git a/policycoreutils/semanage/Makefile b/policycoreutils/semanage/Makefile -index 24d6a21..b797d83 100644 +index 24d6a21..6624f03 100644 --- a/policycoreutils/semanage/Makefile +++ b/policycoreutils/semanage/Makefile @@ -5,7 +5,7 @@ SBINDIR ?= $(PREFIX)/sbin @@ -249011,7 +249011,12 @@ index 24d6a21..b797d83 100644 TARGETS=semanage -@@ -21,7 +21,7 @@ install: all +@@ -17,11 +17,11 @@ install: all + [ -d $(MANDIR)/man8 ] || mkdir -p $(MANDIR)/man8 + -mkdir -p $(SBINDIR) + install -m 755 semanage $(SBINDIR) +- install -m 644 semanage.8 $(MANDIR)/man8 ++ install -m 644 *.8 $(MANDIR)/man8 test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages -mkdir -p $(BASHCOMPLETIONDIR) @@ -249212,172 +249217,1098 @@ index 6e33c85..7989aac 100644 OBJECT.modify(target, value, use_file) return -diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8 -index 28a9022..ac62b49 100644 ---- a/policycoreutils/semanage/semanage.8 -+++ b/policycoreutils/semanage/semanage.8 -@@ -5,41 +5,41 @@ semanage \- SELinux Policy Management tool - .SH "SYNOPSIS" - Output local customizations - .br --.B semanage [ -S store ] -o [ output_file | - ] -+.B semanage [ \-S store ] \-o [ output_file | \- ] +diff --git a/policycoreutils/semanage/semanage-bash-completion.sh b/policycoreutils/semanage/semanage-bash-completion.sh +index edefd9a..be88866 100644 +--- a/policycoreutils/semanage/semanage-bash-completion.sh ++++ b/policycoreutils/semanage/semanage-bash-completion.sh +@@ -1,6 +1,6 @@ + # This file is part of systemd. + # +-# Copyright 2011 Dan Walsh ++# Copyright 2011-2013 Dan Walsh + # + # systemd is free software; you can redistribute it and/or modify it + # under the terms of the GNU General Public License as published by +@@ -54,6 +54,8 @@ __get_all_roles () { + __get_all_stores () { + dir -1 -F /etc/selinux/ | grep '/' | cut -d'/' -f 1 + } ++__get_import_opts () { echo '$ALL_OPTS --f --input_file' ; } ++__get_export_opts () { echo '$ALL_OPTS --f --output_file' ; } + __get_boolean_opts () { echo '$ALL_OPTS --on -off -1 -0 -F' ; } + __get_user_opts () { echo '$ALL_OPTS $MANAGED_OPTS -L -r -R --role '; } + __get_login_opts () { echo '$ALL_OPTS $MANAGED_OPTS -s -r '; } +@@ -70,16 +72,18 @@ _semanage () { + local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} + local verb comps + local -A VERBS=( +- [LOGIN]='login' +- [USER]='user' +- [PORT]='port' ++ [BOOLEAN]='boolean' ++ [DONTAUDIT]='dontaudit' ++ [EXPORT]='export' ++ [FCONTEXT]='fcontext' ++ [IMPORT]='import' + [INTERFACE]='interface' ++ [LOGIN]='login' + [MODULE]='module' + [NODE]='node' +- [FCONTEXT]='fcontext' +- [BOOLEAN]='boolean' + [PERMISSIVE]='permissive' +- [DONTAUDIT]='dontaudit' ++ [PORT]='port' ++ [USER]='user' + ) - Input local customizations - .br --.B semanage [ -S store ] -i [ input_file | - ] -+.B semanage [ \-S store ] \-i [ input_file | \- ] - - Manage booleans. Booleans allow the administrator to modify the confinement of - processes based on his configuration. - .br --.B semanage boolean [\-S store] \-{d|m|l|D} [\-nN] [\-\-on|\-\-off|\-\1|\-0] -F boolean | boolean_file -+.B semanage boolean [\-S store] \-{d|m|l|D|E} [\-nN] [\-\-on|\-\-off|\-\1|\-0] \-F boolean | boolean_file - - Manage SELinux confined users (Roles and levels for an SELinux user) - .br --.B semanage user [\-S store] \-{a|d|m|l|D} [\-LnNPrR] selinux_name -+.B semanage user [\-S store] \-{a|d|m|l|D|E} [\-LnNPrR] selinux_name - - Manage login mappings between linux users and SELinux confined users. - .br --.B semanage login [\-S store] \-{a|d|m|l|D} [\-nNrs] login_name | %groupname -+.B semanage login [\-S store] \-{a|d|m|l|D|E} [\-nNrs] login_name | %groupname - - Manage policy modules. - .br --.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] [\-N] module_name -+.B semanage module [\-S store] \-{a|d|l} [\-m [\-\-enable | \-\-disable] ] [\-N] module_name - - Manage network port type definitions - .br --.B semanage port [\-S store] \-{a|d|m|l|D} [\-nNrt] [\-p proto] port | port_range -+.B semanage port [\-S store] \-{a|d|m|l|D|E} [\-nNrt] [\-p proto] port | port_range - .br - - Manage network interface type definitions - .br --.B semanage interface [\-S store] \-{a|d|m|l|D} [\-nNrt] interface_spec -+.B semanage interface [\-S store] \-{a|d|m|l|D|E} [\-nNrt] interface_spec - - Manage network node type definitions - .br --.B semanage node [\-S store] -{a|d|m|l|D} [-nNrt] [ -p protocol ] [-M netmask] address -+.B semanage node [\-S store] -{a|d|m|l|D|E} [\-nNrt] [ \-p protocol ] [\-M netmask] address - .br - - Manage file context mapping definitions -@@ -97,12 +97,12 @@ Delete a OBJECT record NAME - Remove all OBJECTS local customizations - .TP - .I \-\-disable --Disable a policy module, requires -m option -+Disable a policy module, requires \-m option - - Currently modules only. - .TP - .I \-\-enable --Enable a disabled policy module, requires -m option -+Enable a disabled policy module, requires \-m option - - Currently modules only. - .TP -@@ -114,7 +114,7 @@ defined for the source. - .TP - .I \-f, \-\-ftype - File Type. This is used with fcontext. --Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files. -+Requires a file type as shown in the mode field by ls, e.g. use \-d to match only directories or \-\- to match only regular files. - .TP - .I \-F, \-\-file - Set multiple records from the input file. When used with the \-l \-\-list, it will output the current settings to stdout in the proper format. -@@ -123,11 +123,15 @@ Currently booleans only. - - .TP - .I \-h, \-\-help --display this message -+display usage message - .TP - .I \-l, \-\-list - List the OBJECTS - .TP -+.I \-E, \-\-extract -+Extract custommizable commands, which could then be used on another machine. -+Command output is suitable for a transaction. See also --output + if [ "$prev" = "-a" -a "$command" = "permissive" ]; then +@@ -125,7 +129,7 @@ _semanage () { + return 0 + elif __contains_word "$command" ${VERBS[INTERFACE]} ; then + COMPREPLY=( $(compgen -W "$( __get_interface_opts ) " -- "$cur") ) +- return 0p ++ return 0 + elif __contains_word "$command" ${VERBS[MODULE]} ; then + COMPREPLY=( $(compgen -W "$( __get_module_opts ) " -- "$cur") ) + return 0 +@@ -144,6 +148,12 @@ _semanage () { + elif __contains_word "$command" ${VERBS[DONTAUDIT]} ; then + COMPREPLY=( $(compgen -W "$( __get_dontaudit_opts ) " -- "$cur") ) + return 0 ++ elif __contains_word "$command" ${VERBS[IMPORT]} ; then ++ COMPREPLY=( $(compgen -W "$( __get_import_opts ) " -- "$cur") ) ++ return 0 ++ elif __contains_word "$command" ${VERBS[EXPORT]} ; then ++ COMPREPLY=( $(compgen -W "$( __get_export_opts ) " -- "$cur") ) ++ return 0 + fi + COMPREPLY=( $(compgen -W "$comps" -- "$cur") ) + return 0 +diff --git a/policycoreutils/semanage/semanage-boolean.8 b/policycoreutils/semanage/semanage-boolean.8 +new file mode 100644 +index 0000000..344f6b8 +--- /dev/null ++++ b/policycoreutils/semanage/semanage-boolean.8 +@@ -0,0 +1,66 @@ ++.TH "semanage-boolean" "8" "20130617" "" "" ++.SH "NAME" ++semanage boolean\- SELinux Policy Management boolean tool ++.SH "SYNOPSIS" ++.B semanage boolean [\-h] [\-n] [\-N] [\-s STORE] [ \-\-extract | \-\-deleteall | \-\-list \-C | \-\-modify ( ( ( \-\-on | \-\-off ) ( boolean ) ) | \-F boolean_file ) ) ] ++ ++.SH "DESCRIPTION" ++semanage is used to configure certain elements of ++SELinux policy without requiring modification to or recompilation ++from policy sources. semanage boolean command controls the settings of booleans in SELinux policy. booleans are if\-then\-else rules written in SELinux Policy. They can be used to customize the way that SELinux Policy rules effect a confined domain. ++.SH "OPTIONS" +.TP - .I \-C, \-\-locallist - List only locally defined settings, not base policy settings. - .TP -@@ -174,42 +178,42 @@ Take a set of commands from a specified file and load them in a single - transaction. - .TP - .I \-o, \-\-output --Output all local customizations into a file. This file than can be used with the semanage -i command to customize other machines to match the local machine. -+Output all local customizations into a file. This file than can be used with the semanage \-i command to customize other machines to match the local machine. - - .SH EXAMPLE - .nf - .B SELinux user - List SELinux users --# semanage user -l -+# semanage user \-l - - .B SELinux login - Change joe to login as staff_u --# semanage login -a -s staff_u joe -+# semanage login \-a \-s staff_u joe - Change the group clerks to login as user_u --# semanage login -a -s user_u %clerks -+# semanage login \-a \-s user_u %clerks - - .B File contexts --.i remember to run restorecon after you set the file context ++.I \-h, \-\-help ++show this help message and exit ++.TP ++.I \-n, \-\-noheading ++Do not print heading when listing the specified object type ++.TP ++.I \-N, \-\-noreload ++Do not reload policy after commit ++.TP ++.I \-S STORE, \-\-store STORE ++Select an alternate SELinux Policy Store to manage ++.TP ++.I \-C, \-\-locallist ++List OBJECTS local customizations ++.TP ++.I \-d, \-\-delete ++Delete a record of the specified object type ++.TP ++.I \-m, \-\-modify ++Modify a record of the specified object type ++.TP ++.I \-l, \-\-list ++List records of the specified object type ++.TP ++.I \-E, \-\-extract ++Extract customizable commands, for use within a transaction ++.TP ++.I \-D, \-\-deleteall ++Remove all OBJECTS local customizations ++.TP ++.I \-1, \-\-on ++Enable the boolean ++.TP ++.I \-0, \-\-off ++Disable the boolean ++.TP ++.I \-F FILENAME, \-\-file FILENAME ++Set multiple records from the input file. When used with the \-l \-\-list, it will output the current settings to stdout in the proper format. (Currently booleans only) ++.SH EXAMPLE ++.nf ++Turn on the apache can send mail boolan ++# semanage boolean \-m \-\-on httpd_can_sendmail ++ ++List customized booleans ++# semanage boolean \-l \-C ++ ++.SH "SEE ALSO" ++.B selinux (8), ++.B semanage (8) ++.B setsebool (8) ++.B getsebool (8) ++ ++.SH "AUTHOR" ++This man page was written by Daniel Walsh +diff --git a/policycoreutils/semanage/semanage-dontaudit.8 b/policycoreutils/semanage/semanage-dontaudit.8 +new file mode 100644 +index 0000000..65002f3 +--- /dev/null ++++ b/policycoreutils/semanage/semanage-dontaudit.8 +@@ -0,0 +1,34 @@ ++.TH "semanage-dontaudit" "8" "20130617" "" "" ++.SH "NAME" ++.B semanage dontaudit\- SELinux Policy Management dontaudit tool ++.SH "SYNOPSIS" ++.B semanage dontaudit [\-h] [\-S STORE] [\-N] {on,off} ++ ++.SH "DESCRIPTION" ++semanage is used to configure certain elements of ++SELinux policy without requiring modification to or recompilation ++from policy sources. semanage dontaudit toggles whether or not dontaudit rules will be in the policy. Policy writers use dontaudit rules to cause ++confined applications to use alternative paths. Dontaudit rules are denied but not reported in the logs. Some times dontaudit rules can cause bugs in applications but policy writers will not relize it since the AVC is not audited. Turning off dontaudit rules with this command to see if the kernel is blocking an access. ++ ++.SH "OPTIONS" ++.TP ++.I \-h, \-\-help ++show this help message and exit ++.TP ++.I \-S STORE, \-\-store STORE ++Select an alternate SELinux Policy Store to manage ++.TP ++.I \-N, \-\-noreload ++Do not reload the policy after commit ++ ++.SH EXAMPLE ++.nf ++Turn off dontaudit rules ++# semanage dontaudit off ++ ++.SH "SEE ALSO" ++.B selinux (8), ++.B semanage (8) ++ ++.SH "AUTHOR" ++This man page was written by Daniel Walsh +diff --git a/policycoreutils/semanage/semanage-export.8 b/policycoreutils/semanage/semanage-export.8 +new file mode 100644 +index 0000000..1b20c82 +--- /dev/null ++++ b/policycoreutils/semanage/semanage-export.8 +@@ -0,0 +1,37 @@ ++.TH "semanage-export" "8" "20130617" "" "" ++.SH "NAME" ++.B semanage export\- SELinux Policy Management import tool ++.SH "SYNOPSIS" ++.B semanage export [\-h] [\-S STORE] [\-f OUTPUT_FILE] ++ ++.SH "DESCRIPTION" ++semanage is used to configure certain elements of ++SELinux policy without requiring modification to or recompilation ++from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a hole group of semanage commands within a file and apply them to a machine in a single transaction. ++ ++.SH "OPTIONS" ++.TP ++.I \-h, \-\-help ++show this help message and exit ++.TP ++.I \-S STORE, \-\-store STORE ++Select an alternate SELinux Policy Store to manage ++.TP ++.I \-f OUTPUT_FILE, \-\-output_file OUTPUT_FILE ++Output file ++ ++.SH EXAMPLE ++.nf ++Import semanage modifications from another machine ++# semanage export -f semanage.mods ++# scp semanage.mod remotemachine: ++# ssh remotemachine ++# semanage import -f semanage.mods ++ ++.SH "SEE ALSO" ++.B selinux (8), ++.B semanage (8), ++.B semanage-import (8) ++ ++.SH "AUTHOR" ++This man page was written by Daniel Walsh +diff --git a/policycoreutils/semanage/semanage-fcontext.8 b/policycoreutils/semanage/semanage-fcontext.8 +new file mode 100644 +index 0000000..1ac1310 +--- /dev/null ++++ b/policycoreutils/semanage/semanage-fcontext.8 +@@ -0,0 +1,86 @@ ++.TH "semanage-fcontext" "8" "20130617" "" "" ++.SH "NAME" ++semanage fcontext\- SELinux Policy Management file context tool ++ ++.SH "SYNOPSIS" ++.B semanage fcontext [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC ) | \-\-delete ( \-t TYPE \-f FTYPE | \-e EQUAL ) FILE_SPEC ) | \-\-deleteall | \-\-extract | \-\-list \-C | \-\-modify ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC ) ] ++ ++.SH "DESCRIPTION" ++semanage is used to configure certain elements of ++SELinux policy without requiring modification to or recompilation ++from policy sources. semanage fcontext is used to manage the default ++file system labeling on an SELinux system. This command maps file paths using regular expressions to SELinux labels. ++ ++.SH "OPTIONS" ++.TP ++.I \-h, \-\-help ++show this help message and exit ++.TP ++.I \-n, \-\-noheading ++Do not print heading when listing the specified object type ++.TP ++.I \-N, \-\-noreload ++Do not reload policy after commit ++.TP ++.I \-C, \-\-locallist ++List OBJECTS local customizations ++.TP ++.I \-S STORE, \-\-store STORE ++Select an alternate SELinux Policy Store to manage ++.TP ++.I \-a, \-\-add ++Add a record of the specified object type ++.TP ++.I \-d, \-\-delete ++Delete a record of the specified object type ++.TP ++.I \-m, \-\-modify ++Modify a record of the specified object type ++.TP ++.I \-l, \-\-list ++List records of the specified object type ++.TP ++.I \-E, \-\-extract ++Extract customizable commands, for use within a transaction ++.TP ++.I \-D, \-\-deleteall ++Remove all OBJECTS local customizations ++.TP ++.I \-e EQUAL, \-\-equal EQUAL ++Substitute target path with sourcepath when generating default label. This is used with fcontext. Requires source and target path arguments. The context labeling for the target subtree is made equivalent to that defined for the source. ++.TP ++.I \-f [{"",\-\-,\-d,\-c,\-b,\-s,\-l,\-p}], \-\-ftype [{"",\-\-,\-d,\-c,\-b,\-s,\-l,\-p}] ++File Type. This is used with fcontext. Requires a file type as shown in the mode field by ls, e.g. use \-d to match only directories or \-\- to match only regular files. The following file type options can be passed: "" (all files),\-\- (regular file),\-d (directory),\-c (character device), \-b (block device),\-s (socket),\-l (symbolic link),\-p (named pipe) ++.TP ++.I \-s SEUSER, \-\-seuser SEUSER ++SELinux user name ++.TP ++.I \-t TYPE, \-\-type TYPE ++SELinux Type for the object ++.TP ++.I \-r RANGE, \-\-range RANGE ++MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0. ++ ++.SH EXAMPLE ++.nf +.I remember to run restorecon after you set the file context - Add file-context for everything under /web --# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" --# restorecon -R -v /web ++Add file-context for everything under /web +# semanage fcontext \-a \-t httpd_sys_content_t "/web(/.*)?" +# restorecon \-R \-v /web - - Substitute /home1 with /home when setting file context --# semanage fcontext -a -e /home /home1 --# restorecon -R -v /home1 ++ ++Substitute /home1 with /home when setting file context +# semanage fcontext \-a \-e /home /home1 +# restorecon \-R \-v /home1 - - For home directories under top level directory, for example /disk6/home, - execute the following commands. --# semanage fcontext -a -t home_root_t "/disk6" --# semanage fcontext -a -e /home /disk6/home --# restorecon -R -v /disk6 ++ ++For home directories under top level directory, for example /disk6/home, ++execute the following commands. +# semanage fcontext \-a \-t home_root_t "/disk6" +# semanage fcontext \-a \-e /home /disk6/home +# restorecon \-R \-v /disk6 - - .B Port contexts - Allow Apache to listen on tcp port 81 --# semanage port -a -t http_port_t -p tcp 81 -+# semanage port \-a \-t http_port_t \-p tcp 81 - - .B Change apache to a permissive domain --# semanage permissive -a httpd_t ++ ++.SH "SEE ALSO" ++.B selinux (8), ++.B semanage (8) ++ ++.SH "AUTHOR" ++This man page was written by Daniel Walsh +diff --git a/policycoreutils/semanage/semanage-import.8 b/policycoreutils/semanage/semanage-import.8 +new file mode 100644 +index 0000000..fb95a04 +--- /dev/null ++++ b/policycoreutils/semanage/semanage-import.8 +@@ -0,0 +1,36 @@ ++.TH "semanage-import" "8" "20130617" "" "" ++.SH "NAME" ++.B semanage import\- SELinux Policy Management import tool ++.SH "SYNOPSIS" ++.B semanage import [\-h] [\-N] [\-S STORE] [\-f INPUT_FILE] ++ ++.SH "DESCRIPTION" ++semanage is used to configure certain elements of ++SELinux policy without requiring modification to or recompilation ++from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a hole group of semanage commands within a file and apply them to a machine in a single transaction. ++ ++.SH "OPTIONS" ++.TP ++.I \-h, \-\-help ++show this help message and exit ++.TP ++.I \-N, \-\-noreload ++Do not reload policy after commit ++.TP ++.I \-S STORE, \-\-store STORE ++Select an alternate SELinux Policy Store to manage ++.TP ++.I \-f INPUT_FILE, \-\-input_file INPUT_FILE ++Input file ++.SH EXAMPLE ++.nf ++Import semanage modifications from another machine ++# semanage import -f semanage.mods ++ ++.SH "SEE ALSO" ++.B selinux (8), ++.B semanage (8), ++.B semanage-export (8) ++ ++.SH "AUTHOR" ++This man page was written by Daniel Walsh +diff --git a/policycoreutils/semanage/semanage-interface.8 b/policycoreutils/semanage/semanage-interface.8 +new file mode 100644 +index 0000000..7c67718 +--- /dev/null ++++ b/policycoreutils/semanage/semanage-interface.8 +@@ -0,0 +1,63 @@ ++.TH "semanage-interface" "8" "20130617" "" "" ++.SH "NAME" ++.B semanage interface\- SELinux Policy Management network interface tool ++.SH "SYNOPSIS" ++.B semanage interface [-h] [-n] [-N] [-s STORE] [ --add -t TYPE -r RANGE interface | --delete interface | --deleteall | --extract | --list -C | --modify -t TYPE -r RANGE interface ] ++ ++.SH "DESCRIPTION" ++semanage is used to configure certain elements of ++SELinux policy without requiring modification to or recompilation ++from policy sources. semanage interface controls the labels assigned to network interfaces. ++ ++.SH "OPTIONS" ++.TP ++.I \-h, \-\-help ++show this help message and exit ++.TP ++.I \-n, \-\-noheading ++Do not print heading when listing the specified object type ++.TP ++.I \-N, \-\-noreload ++Do not reload policy after commit ++.TP ++.I \-S STORE, \-\-store STORE ++Select an alternate SELinux Policy Store to manage ++.TP ++.I \-C, \-\-locallist ++List OBJECTS local customizations ++.TP ++.I \-a, \-\-add ++Add a record of the specified object type ++.TP ++.I \-d, \-\-delete ++Delete a record of the specified object type ++.TP ++.I \-m, \-\-modify ++Modify a record of the specified object type ++.TP ++.I \-l, \-\-list ++List records of the specified object type ++.TP ++.I \-E, \-\-extract ++Extract customizable commands, for use within a transaction ++.TP ++.I \-D, \-\-deleteall ++Remove all OBJECTS local customizations ++.TP ++.I \-t TYPE, \-\-type TYPE ++SELinux type for the object ++.TP ++.I \-r RANGE, \-\-range RANGE ++MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0. ++ ++.SH EXAMPLE ++.nf ++list all interface defitions ++# semanage interface -l ++ ++.SH "SEE ALSO" ++.B selinux (8), ++.B semanage (8) ++ ++.SH "AUTHOR" ++This man page was written by Daniel Walsh +diff --git a/policycoreutils/semanage/semanage-login.8 b/policycoreutils/semanage/semanage-login.8 +new file mode 100644 +index 0000000..c240f28 +--- /dev/null ++++ b/policycoreutils/semanage/semanage-login.8 +@@ -0,0 +1,66 @@ ++.TH "semanage-login" "8" "20130617" "" "" ++.SH "NAME" ++.B semanage login\- SELinux Policy Management linux user to SELinux User mapping tool ++.SH "SYNOPSIS" ++.B semanage login [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-s SEUSER \-r RANGE LOGIN | \-\-delete LOGIN | \-\-deleteall | \-\-extract | \-\-list \-C | \-\-modify \-s SEUSER \-r RANGE LOGIN ] ++ ++.SH "DESCRIPTION" ++semanage is used to configure certain elements of ++SELinux policy without requiring modification to or recompilation ++from policy sources. semanage login controls the mapping between a Linux User and the SELinux User. It can be used to turn on confined users. For example you could define that a particular user or group of users will login to a system as the user_u user. ++ ++.SH "OPTIONS" ++.TP ++.I \-h, \-\-help ++show this help message and exit ++.TP ++.I \-n, \-\-noheading ++Do not print heading when listing the specified object type ++.TP ++.I \-N, \-\-noreload ++Do not reload policy after commit ++.TP ++.I \-C, \-\-locallist ++List OBJECTS local customizations ++.TP ++.I \-S STORE, \-\-store STORE ++Select an alternate SELinux Policy Store to manage ++.TP ++.I \-a, \-\-add ++Add a record of the specified object type ++.TP ++.I \-d, \-\-delete ++Delete a record of the specified object type ++.TP ++.I \-m, \-\-modify ++Modify a record of the specified object type ++.TP ++.I \-l, \-\-list ++List records of the specified object type ++.TP ++.I \-E, \-\-extract ++Extract customizable commands, for use within a transaction ++.TP ++.I \-D, \-\-deleteall ++Remove all OBJECTS local customizations ++.TP ++.I \-s SEUSER, \-\-seuser SEUSER ++SELinux user name ++.TP ++.I \-r RANGE, \-\-range RANGE ++MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0. ++ ++.SH EXAMPLE ++.nf ++Modify the default user on the system to the guest_u user ++# semanage login -m -s guest_u __default__ ++Assign all users in the engineering group to the staff_u user ++# semanage login -a -s staff_u @engineering ++ ++.SH "SEE ALSO" ++.B selinux (8), ++.B semanage (8), ++.B semanage-user (8) ++ ++.SH "AUTHOR" ++This man page was written by Daniel Walsh +diff --git a/policycoreutils/semanage/semanage-module.8 b/policycoreutils/semanage/semanage-module.8 +new file mode 100644 +index 0000000..12897dc +--- /dev/null ++++ b/policycoreutils/semanage/semanage-module.8 +@@ -0,0 +1,53 @@ ++.TH "semanage-module" "8" "20130617" "" "" ++.SH "NAME" ++.B semanage module\\- SELinux Policy Management module mapping tool ++.SH "SYNOPSIS" ++.B semanage module [\-h] [\-n] [\-N] [\-S STORE] ++ (\-a | \-d | \-m {enable,disable} | \-l) ++ [module_name] ++ ++.SH "DESCRIPTION" ++semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage module installs, removes, disables SELinux Policy modules. ++ ++.SH "OPTIONS" ++.TP ++.I \-h, \-\-help ++show this help message and exit ++.TP ++.I \-n, \-\-noheading ++Do not print heading when listing the specified object type ++.TP ++.I \-N, \-\-noreload ++Do not reload policy after commit ++.TP ++.I \-S STORE, \-\-store STORE ++Select an alternate SELinux Policy Store to manage ++.TP ++.I \-a, \-\-add ++Add a record of the specified object type ++.TP ++.I \-d, \-\-delete ++Delete a record of the specified object type ++.TP ++.I \-m {enable,disable}, \-\-modify {enable,disable} ++Enable or Disable specified module ++.TP ++.I \-l, \-\-list ++List records of the specified object type ++ ++.SH EXAMPLE ++.nf ++List all modules ++# semanage module \-l ++Disable unconfined module ++# semanage module \-\-disable unconfined ++Install custom apache policy module ++# semanage module \-a myapache ++ ++.SH "SEE ALSO" ++.B selinux (8), ++.B semanage (8) ++.B semodule (8) ++ ++.SH "AUTHOR" ++This man page was written by Daniel Walsh +diff --git a/policycoreutils/semanage/semanage-node.8 b/policycoreutils/semanage/semanage-node.8 +new file mode 100644 +index 0000000..dd54a94 +--- /dev/null ++++ b/policycoreutils/semanage/semanage-node.8 +@@ -0,0 +1,58 @@ ++.TH "semanage-node" "8" "20130617" "" "" ++.SH "NAME" ++.B semanage node\- SELinux Policy Management node mapping tool ++.SH "SYNOPSIS" ++.B semanage node [-h] [-n] [-N] [-s STORE] [ --add -M NETMASK -p PROTOCOL -t TYPE -r RANGE node | --delete -M NETMASK -p PROTOCOL node | --deleteall | --extract | --list -C | --modify -M NETMASK -p PROTOCOL -t TYPE -r RANGE node ] ++ ++.SH "DESCRIPTION" ++semanage is used to configure certain elements of ++SELinux policy without requiring modification to or recompilation ++from policy sources. semanage controls the ipaddress to node type definitions. ++ ++.SH "OPTIONS" ++.TP ++.I \-h, \-\-help ++show this help message and exit ++.TP ++.I \-n, \-\-noheading ++Do not print heading when listing the specified object type ++.TP ++.I \-N, \-\-noreload ++Do not reload policy after commit ++.TP ++.I \-S STORE, \-\-store STORE ++Select an alternate SELinux Policy Store to manage ++.TP ++.I \-C, \-\-locallist ++List OBJECTS local customizations ++.TP ++.I \-a, \-\-add ++Add a record of the specified object type ++.TP ++.I \-d, \-\-delete ++Delete a record of the specified object type ++.TP ++.I \-m, \-\-modify ++Modify a record of the specified object type ++.TP ++.I \-l, \-\-list ++List records of the specified object type ++.TP ++.I \-E, \-\-extract ++Extract customizable commands, for use within a transaction ++.TP ++.I \-D, \-\-deleteall ++Remove all OBJECTS local customizations ++.TP ++.I \-M NETMASK, \-\-netmask NETMASK ++Network Mask ++.TP ++.I \-t TYPE, \-\-type TYPE ++SELinux type for the object ++.TP ++.I \-r RANGE, \-\-range RANGE ++MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0. ++.TP ++.I \-p PROTO, \-\-proto PROTO ++ ++Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6). +diff --git a/policycoreutils/semanage/semanage-permissive.8 b/policycoreutils/semanage/semanage-permissive.8 +new file mode 100644 +index 0000000..9a143df +--- /dev/null ++++ b/policycoreutils/semanage/semanage-permissive.8 +@@ -0,0 +1,45 @@ ++.TH "semanage-permissive" "8" "20130617" "" "" ++.SH "NAME" ++.B semanage permissive \- SELinux Policy Management permissive mapping tool ++.SH "SYNOPSIS" ++.B semanage permissive [\-h] (\-a | \-d | \-l) [\-n] [\-N] [\-S STORE] [type] ++ ++.SH "DESCRIPTION" ++semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage permissive adds or removes a SELinux Policy permissive module. ++ ++.SH "OPTIONS" ++.TP ++.I \-h, \-\-help ++show this help message and exit ++.TP ++.I \-a, \-\-add ++Add a record of the specified object type ++.TP ++.I \-d, \-\-delete ++Delete a record of the specified object type ++.TP ++.I \-l, \-\-list ++List records of the specified object type ++.TP ++.I \-n, \-\-noheading ++Do not print heading when listing the specified object type ++.TP ++.I \-N, \-\-noreload ++Do not reload the policy after commit ++.TP ++.I \-S STORE, \-\-store STORE ++Select an alternate SELinux Policy Store to manage ++ ++.SH EXAMPLE ++.nf ++List all permissive modules ++# semanage permissive \-l ++Make httpd_t (Web Server) a permissive domain +# semanage permissive \-a httpd_t ++ ++.SH "SEE ALSO" ++.B selinux (8), ++.B semanage (8) ++ ++.SH "AUTHOR" ++This man page was written by Daniel Walsh +diff --git a/policycoreutils/semanage/semanage-port.8 b/policycoreutils/semanage/semanage-port.8 +new file mode 100644 +index 0000000..d460cfc +--- /dev/null ++++ b/policycoreutils/semanage/semanage-port.8 +@@ -0,0 +1,68 @@ ++.TH "semanage-port" "8" "20130617" "" "" ++.SH "NAME" ++.B semanage port\- SELinux Policy Management port mapping tool ++.SH "SYNOPSIS" ++.B semanage port [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range | \-\-delete \-p PROTOCOL port_name | port_range | \-\-deleteall | \-\-extract | \-\-list \-C | \-\-modify \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range ] ++ ++.SH "DESCRIPTION" ++semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage port controls the port number to port type defitions. ++ ++.SH "OPTIONS" ++.TP ++.I \-h, \-\-help ++show this help message and exit ++.TP ++.I \-n, \-\-noheading ++Do not print heading when listing the specified object type ++.TP ++.I \-N, \-\-noreload ++Do not reload policy after commit ++.TP ++.I \-S STORE, \-\-store STORE ++Select an alternate SELinux Policy Store to manage ++.TP ++.I \-C, \-\-locallist ++List OBJECTS local customizations ++.TP ++.I \-a, \-\-add ++Add a record of the specified object type ++.TP ++.I \-d, \-\-delete ++Delete a record of the specified object type ++.TP ++.I \-m, \-\-modify ++Modify a record of the specified object type ++.TP ++.I \-l, \-\-list ++List records of the specified object type ++.TP ++.I \-E, \-\-extract ++Extract customizable commands, for use within a transaction ++.TP ++.I \-D, \-\-deleteall ++Remove all OBJECTS local customizations ++.TP ++.I \-t TYPE, \-\-type TYPE ++SELinux type for the object ++.TP ++.I \-r RANGE, \-\-range RANGE ++MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0. ++.TP ++.I \-p PROTO, \-\-proto PROTO ++Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6). ++ ++.SH EXAMPLE ++.nf ++List all port defitions ++# semanage port \-l ++Allow Apache to listen on tcp port 81 ++# semanage port \-a \-t http_port_t \-p tcp 81 ++Allow sshd to listen on tcp port 8991 ++# semanage port \-a \-t ssh_port_t \-p tcp 8991 ++ ++.SH "SEE ALSO" ++.B selinux (8), ++.B semanage (8) ++ ++.SH "AUTHOR" ++This man page was written by Daniel Walsh +diff --git a/policycoreutils/semanage/semanage-user.8 b/policycoreutils/semanage/semanage-user.8 +new file mode 100644 +index 0000000..d811d24 +--- /dev/null ++++ b/policycoreutils/semanage/semanage-user.8 +@@ -0,0 +1,71 @@ ++.TH "semanage-user" "8" "20130617" "" "" ++.SH "NAME" ++.B semanage user\- SELinux Policy Management SELinux User mapping tool ++.SH "SYNOPSIS" ++.B semanage user [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add ( \-L LEVEL \-R ROLES \-r RANGE \-s SEUSER selinux_name) | \-\-delete selinux_name | \-\-deleteall | \-\-extract | \-\-list \-C | \-\-modify ( \-L LEVEL \-R ROLES \-r RANGE \-s SEUSER selinux_name ) ] ++ ++.SH "DESCRIPTION" ++semanage is used to configure certain elements of ++SELinux policy without requiring modification to or recompilation ++from policy sources. semanage user controls the mapping between an SELinux User and the roles and MLS/MCS levels. ++ ++.SH "OPTIONS" ++.TP ++.I \-h, \-\-help ++show this help message and exit ++.TP ++.I \-n, \-\-noheading ++Do not print heading when listing the specified object type ++.TP ++.I \-N, \-\-noreload ++Do not reload policy after commit ++.TP ++.I \-S STORE, \-\-store STORE ++Select an alternate SELinux Policy Store to manage ++.TP ++.I \-C, \-\-locallist ++List OBJECTS local customizations ++.TP ++.I \-a, \-\-add ++Add a record of the specified object type ++.TP ++.I \-d, \-\-delete ++Delete a record of the specified object type ++.TP ++.I \-m, \-\-modify ++Modify a record of the specified object type ++.TP ++.I \-l, \-\-list ++List records of the specified object type ++.TP ++.I \-E, \-\-extract ++Extract customizable commands, for use within a transaction ++.TP ++.I \-D, \-\-deleteall ++Remove all OBJECTS local customizations ++.TP ++.I \-L LEVEL, \-\-level LEVEL ++Default SELinux Level for SELinux user, s0 Default. (MLS/MCS Systems only) ++.TP ++.I \-r RANGE, \-\-range RANGE ++MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0. ++.TP ++.I \-R [ROLES], \-\-roles [ROLES] ++SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times. ++ ++.SH EXAMPLE ++.nf ++List SELinux users ++# semanage user \-l ++Modify groups for staff_u user ++# semanage user \-m \-R "system_r unconfined_r staff_r" staff_u ++Add level for TopSecret Users ++# semanage user \-a \-R "staff_r" -rs0-TopSecret topsecret_u ++ ++.SH "SEE ALSO" ++.B selinux (8), ++.B semanage (8) ++.B semanage\-login (8) ++ ++.SH "AUTHOR" ++This man page was written by Daniel Walsh +diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8 +index 28a9022..90b142e 100644 +--- a/policycoreutils/semanage/semanage.8 ++++ b/policycoreutils/semanage/semanage.8 +@@ -3,70 +3,45 @@ + semanage \- SELinux Policy Management tool - .B Turn off dontaudit rules - # semanage dontaudit off -@@ -219,10 +223,10 @@ Multiple machines that need the same customizations. - Extract customizations off first machine, copy them - to second and import them. + .SH "SYNOPSIS" ++.B semanage {import,export,login,user,port,interface,module,node,fcontext,boolean,permissive,dontaudit} ++ ... ++.B positional arguments: ++ ++.B import + Output local customizations +-.br +-.B semanage [ -S store ] -o [ output_file | - ] +-Input local customizations +-.br +-.B semanage [ -S store ] -i [ input_file | - ] ++.B export ++Output local customizations + +-Manage booleans. Booleans allow the administrator to modify the confinement of +-processes based on his configuration. +-.br +-.B semanage boolean [\-S store] \-{d|m|l|D} [\-nN] [\-\-on|\-\-off|\-\1|\-0] -F boolean | boolean_file ++.B login ++Manage login mappings between linux users and SELinux confined users + ++.B user + Manage SELinux confined users (Roles and levels for an SELinux user) +-.br +-.B semanage user [\-S store] \-{a|d|m|l|D} [\-LnNPrR] selinux_name +- +-Manage login mappings between linux users and SELinux confined users. +-.br +-.B semanage login [\-S store] \-{a|d|m|l|D} [\-nNrs] login_name | %groupname +- +-Manage policy modules. +-.br +-.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] [\-N] module_name + ++.B port + Manage network port type definitions +-.br +-.B semanage port [\-S store] \-{a|d|m|l|D} [\-nNrt] [\-p proto] port | port_range +-.br + ++.B interface + Manage network interface type definitions +-.br +-.B semanage interface [\-S store] \-{a|d|m|l|D} [\-nNrt] interface_spec + ++.B module ++Manage SELinux policy modules ++ ++.B node + Manage network node type definitions +-.br +-.B semanage node [\-S store] -{a|d|m|l|D} [-nNrt] [ -p protocol ] [-M netmask] address +-.br + ++.B fcontext + Manage file context mapping definitions +-.br +-.B semanage fcontext [\-S store] \-{l} [\-Cn] +-.br +-.B semanage fcontext [\-S store] \-D [\-N] +-.br +-.B semanage fcontext [\-S store] \-{a|d|m} [\-Nfrst] file_spec +-.br +-.B semanage fcontext [\-S store] \-{a|d|m} \-e replacement target +-.br + +-Manage processes type enforcement mode +-.br +-.B semanage permissive [\-S store] \-{a|d|l|D} [\-nN] type +-.br ++.B boolean ++Manage booleans to selectively enable functionality + +-Disable/Enable dontaudit rules in policy +-.br +-.B semanage dontaudit [\-N] [\-S store] [ on | off ] +-.P ++.B permissive ++Manage process type enforcement mode + +-Execute multiple commands within a single transaction. +-.br +-.B semanage [\-S store] [\-N] \-i command-file +-.br ++.B dontaudit ++Disable/Enable dontaudit rules in policy + + .SH "DESCRIPTION" + semanage is used to configure certain elements of +@@ -87,147 +62,23 @@ modification. + + .SH "OPTIONS" + .TP +-.I \-a, \-\-add +-Add a OBJECT record NAME +-.TP +-.I \-d, \-\-delete +-Delete a OBJECT record NAME +-.TP +-.I \-D, \-\-deleteall +-Remove all OBJECTS local customizations +-.TP +-.I \-\-disable +-Disable a policy module, requires -m option +- +-Currently modules only. +-.TP +-.I \-\-enable +-Enable a disabled policy module, requires -m option +- +-Currently modules only. +-.TP +-.I \-e, \-\-equal +-Substitute target path with sourcepath when generating default label. This is used with +-fcontext. Requires source and target path arguments. The context +-labeling for the target subtree is made equivalent to that +-defined for the source. +-.TP +-.I \-f, \-\-ftype +-File Type. This is used with fcontext. +-Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files. +-.TP +-.I \-F, \-\-file +-Set multiple records from the input file. When used with the \-l \-\-list, it will output the current settings to stdout in the proper format. +- +-Currently booleans only. +- +-.TP +-.I \-h, \-\-help +-display this message +-.TP +-.I \-l, \-\-list +-List the OBJECTS +-.TP +-.I \-C, \-\-locallist +-List only locally defined settings, not base policy settings. +-.TP +-.I \-L, \-\-level +-Default SELinux Level for SELinux user, s0 Default. (MLS/MCS Systems only) +-.TP +-.I \-m, \-\-modify +-Modify a OBJECT record NAME +-.TP +-.I \-M, \-\-mask +-Network Mask +-.TP +-.I \-n, \-\-noheading +-Do not print heading when listing OBJECTS. +-.TP +-.B \-N,\-\-noreload +-do not reload policy after commit +-.TP +-.I \-p, \-\-proto +-Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6). +-.TP +-.I \-r, \-\-range +-MLS/MCS Security Range (MLS/MCS Systems only) +-SELinux Range for SELinux login mapping defaults to the SELinux user record range. +-SELinux Range for SELinux user defaults to s0. +-.TP +-.I \-R, \-\-roles +-SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times. +-.TP +-.I \-P, \-\-prefix +-SELinux Prefix. Prefix added to home_dir_t and home_t for labeling users home directories. +-.TP +-.I \-s, \-\-seuser +-SELinux user name +-.TP +-.I \-S, \-\-store +-Select and alternate SELinux store to manage +-.TP +-.I \-t, \-\-type +-SELinux Type for the object +-.TP +-.I \-i, \-\-input +-Take a set of commands from a specified file and load them in a single +-transaction. +-.TP +-.I \-o, \-\-output +-Output all local customizations into a file. This file than can be used with the semanage -i command to customize other machines to match the local machine. +- +-.SH EXAMPLE +-.nf +-.B SELinux user +-List SELinux users +-# semanage user -l +- +-.B SELinux login +-Change joe to login as staff_u +-# semanage login -a -s staff_u joe +-Change the group clerks to login as user_u +-# semanage login -a -s user_u %clerks +- +-.B File contexts +-.i remember to run restorecon after you set the file context +-Add file-context for everything under /web +-# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" +-# restorecon -R -v /web +- +-Substitute /home1 with /home when setting file context +-# semanage fcontext -a -e /home /home1 +-# restorecon -R -v /home1 +- +-For home directories under top level directory, for example /disk6/home, +-execute the following commands. +-# semanage fcontext -a -t home_root_t "/disk6" +-# semanage fcontext -a -e /home /disk6/home +-# restorecon -R -v /disk6 +- +-.B Port contexts +-Allow Apache to listen on tcp port 81 +-# semanage port -a -t http_port_t -p tcp 81 +- +-.B Change apache to a permissive domain +-# semanage permissive -a httpd_t +- +-.B Turn off dontaudit rules +-# semanage dontaudit off +- +-.B Managing multiple machines +-Multiple machines that need the same customizations. +-Extract customizations off first machine, copy them +-to second and import them. +- -# semanage -o /tmp/local.selinux -+# semanage \-o /tmp/local.selinux - # scp /tmp/local.selinux secondmachine:/tmp - # ssh secondmachine +-# scp /tmp/local.selinux secondmachine:/tmp +-# ssh secondmachine -# semanage -i /tmp/local.selinux -+# semanage \-i /tmp/local.selinux +- +-If these customizations include file context, you need to apply the +-context using restorecon. +- +-.fi ++.I \-h, \-\-help ++List help information ++ ++.SH "SEE ALSO" ++.B selinux (8), ++.B semanage-boolean (8), ++.B semanage-dontaudit (8), ++.B semanage-export (8), ++.B semanage-fcontext (8), ++.B semanage-import (8), ++.B semanage-interface (8), ++.B semanage-login (8), ++.B semanage-module (8), ++.B semanage-node (8), ++.B semanage-permissive (8), ++.B semanage-port (8), ++.B semanage-user (8) - If these customizations include file context, you need to apply the - context using restorecon. + .SH "AUTHOR" + This man page was written by Daniel Walsh +@@ -235,3 +86,5 @@ This man page was written by Daniel Walsh + and Russell Coker . + .br + Examples by Thomas Bleher . ++usage: semanage [-h] ++ diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py index 85bc37f..35591df 100644 --- a/policycoreutils/semanage/seobject.py diff --git a/policycoreutils.spec b/policycoreutils.spec index 1e1b7ce..5397e2f 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.14 -Release: 52%{?dist} +Release: 53%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -311,6 +311,9 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Mon Jun 17 2013 Dan Walsh - 2.1.14-53 +- Add new man pages for each semanage subsection + * Mon Jun 17 2013 Dan Walsh - 2.1.14-52 - Fix handling of sepolicy network sorting. - Additional interfaces needed for sepolicy gui