Run sepolgen-ifgen in audit2allow and sepolicy generate, if needed, first time

- Add  Sven Vermeulen  patches to cleanup man pages
This commit is contained in:
Dan Walsh 2013-05-12 06:06:28 -04:00
parent a941cc9a2c
commit d610eb1fd8
2 changed files with 671 additions and 63 deletions

View File

@ -111,18 +111,109 @@ index 8e0c396..4fa07a1 100644
if __name__ == "__main__":
app = AuditToPolicy()
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index a854a45..bc70938 100644
index a854a45..0155f98 100644
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@@ -171,7 +171,7 @@ $ semodule -i local.pp
@@ -29,7 +29,7 @@
\- generate SELinux policy allow/dontaudit rules from logs of denied operations
.BR audit2why
-\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
+\- translates SELinux audit messages into a description of why the access was denied (audit2allow \-w)
.SH SYNOPSIS
.B audit2allow
@@ -37,16 +37,16 @@
.SH OPTIONS
.TP
.B "\-a" | "\-\-all"
-Read input from audit and message log, conflicts with -i
+Read input from audit and message log, conflicts with \-i
.TP
.B "\-b" | "\-\-boot"
-Read input from audit messages since last boot conflicts with -i
+Read input from audit messages since last boot conflicts with \-i
.TP
.B "\-d" | "\-\-dmesg"
Read input from output of
.I /bin/dmesg.
Note that all audit messages are not available via dmesg when
-auditd is running; use "ausearch -m avc | audit2allow" or "-a" instead.
+auditd is running; use "ausearch \-m avc | audit2allow" or "\-a" instead.
.TP
.B "\-D" | "\-\-dontaudit"
Generate dontaudit rules (Default: allow)
@@ -65,7 +65,7 @@ read input only after last policy reload
Generate module/require output <modulename>
.TP
.B "\-M <modulename>"
-Generate loadable module package, conflicts with -o
+Generate loadable module package, conflicts with \-o
.TP
.B "\-p <policyfile>" | "\-\-policy <policyfile>"
Policy file to use for analysis
@@ -123,7 +123,7 @@ an 'allow' rule.
.PP
.B Using audit2allow to generate module policy
-$ cat /var/log/audit/audit.log | audit2allow -m local > local.te
+$ cat /var/log/audit/audit.log | audit2allow \-m local > local.te
$ cat local.te
module local 1.0;
@@ -141,7 +141,7 @@ allow myapp_t etc_t:file { getattr open read };
.B Using audit2allow to generate module policy using reference policy
-$ cat /var/log/audit/audit.log | audit2allow -R -m local > local.te
+$ cat /var/log/audit/audit.log | audit2allow \-R \-m local > local.te
$ cat local.te
policy_module(local, 1.0)
@@ -157,32 +157,32 @@ files_read_etc_files(myapp_t)
# SELinux provides a policy devel environment under /usr/share/selinux/devel
# You can create a te file and compile it by executing
-$ make -f /usr/share/selinux/devel/Makefile
-$ semodule -i local.pp
+$ make -f /usr/share/selinux/devel/Makefile local.pp
+$ semodule \-i local.pp
.B Building module policy manually
# Compile the module
-$ checkmodule -M -m -o local.mod local.te
+$ checkmodule \-M \-m \-o local.mod local.te
# Create the package
-$ semodule_package -o local.pp -m local.mod
+$ semodule_package \-o local.pp \-m local.mod
# Load the module into the kernel
-$ semodule -i local.pp
+$ semodule \-i local.pp
.B Using audit2allow to generate and build module policy
$ cat /var/log/audit/audit.log | audit2allow -M local
-$ cat /var/log/audit/audit.log | audit2allow -M local
-Generating type enforcment file: local.te
-Compiling policy: checkmodule -M -m -o local.mod local.te
-Building package: semodule_package -o local.pp -m local.mod
+$ cat /var/log/audit/audit.log | audit2allow \-M local
+Generating type enforcement file: local.te
Compiling policy: checkmodule -M -m -o local.mod local.te
Building package: semodule_package -o local.pp -m local.mod
+Compiling policy: checkmodule \-M \-m \-o local.mod local.te
+Building package: semodule_package \-o local.pp \-m local.mod
******************** IMPORTANT ***********************
In order to load this newly created policy package into the kernel,
you are required to execute
-semodule -i local.pp
+semodule \-i local.pp
-.B Using audit2allow to generate monolithic (non-module) policy
+.B Using audit2allow to generate monolithic (non\-module) policy
$ cd /etc/selinux/$SELINUXTYPE/src/policy
$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
$ cat domains/misc/local.te
diff --git a/policycoreutils/audit2allow/audit2why.1 b/policycoreutils/audit2allow/audit2why.1
new file mode 100644
index 0000000..a9e8893
@ -516,7 +607,7 @@ index f9ca36e..a86073f 100644
.SH "EXIT STATUS"
.TP
diff --git a/policycoreutils/man/man5/selinux_config.5 b/policycoreutils/man/man5/selinux_config.5
index 4963cdc..a55dbed 100644
index 4963cdc..dbfec55 100644
--- a/policycoreutils/man/man5/selinux_config.5
+++ b/policycoreutils/man/man5/selinux_config.5
@@ -92,7 +92,7 @@ The binary policy name has by convention the SELinux policy version that it supp
@ -528,6 +619,84 @@ index 4963cdc..a55dbed 100644
.RE
.sp
.B REQUIRESEUSERS
@@ -122,7 +122,7 @@ This is an optional entry that allows the file system to be relabeled.
.sp
If set to \fI0\fR and there is a file called \fI.autorelabel\fR in the root directory, then on a reboot, the loader will drop to a shell where a root login is required. An administrator can then manually relabel the file system.
.sp
-If set to \fI1\fR or no entry present (the default) and there is a \fI.autorelabel\fR file in the root directory, then the file system will be automatically relabeled using \fBfixfiles -F restore\fR
+If set to \fI1\fR or no entry present (the default) and there is a \fI.autorelabel\fR file in the root directory, then the file system will be automatically relabeled using \fBfixfiles \-F restore\fR
.sp
In both cases the \fI/.autorelabel\fR file will be removed so that relabeling is not done again.
.RE
diff --git a/policycoreutils/mcstrans/man/man8/mcs.8 b/policycoreutils/mcstrans/man/man8/mcs.8
index 44126bf..aeaf22e 100644
--- a/policycoreutils/mcstrans/man/man8/mcs.8
+++ b/policycoreutils/mcstrans/man/man8/mcs.8
@@ -20,7 +20,7 @@ readable form. Administrators can define any labels they want in this file.
Certain applications like printing and auditing will use these labels to
identify the files. By setting a category on a file you will prevent
other applications/services from having access to the files.
-.p
+.P
Examples of file labels would be PatientRecord, CompanyConfidential etc.
.SH "SEE ALSO"
diff --git a/policycoreutils/newrole/newrole.1 b/policycoreutils/newrole/newrole.1
index 376c458..c47bc52 100644
--- a/policycoreutils/newrole/newrole.1
+++ b/policycoreutils/newrole/newrole.1
@@ -44,7 +44,7 @@ Additional arguments
.I ARGS
may be provided after a -- option,
in which case they are supplied to the new shell.
-In particular, an argument of -- -c will cause the next argument to be
+In particular, an argument of \-\- \-c will cause the next argument to be
treated as a command by most command interpreters.
.PP
If a command argument is specified to newrole and the command name is found
@@ -66,31 +66,31 @@ shows the current version of newrole
.SH EXAMPLE
.br
Changing role:
- # id -Z
+ # id \-Z
staff_u:staff_r:staff_t:SystemLow-SystemHigh
- # newrole -r sysadm_r
- # id -Z
+ # newrole \-r sysadm_r
+ # id \-Z
staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
Changing sensitivity only:
- # id -Z
+ # id \-Z
staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
- # newrole -l Secret
- # id -Z
+ # newrole \-l Secret
+ # id \-Z
staff_u:sysadm_r:sysadm_t:Secret-SystemHigh
.PP
Changing sensitivity and clearance:
- # id -Z
+ # id \-Z
staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
- # newrole -l Secret-Secret
- # id -Z
+ # newrole \-l Secret-Secret
+ # id \-Z
staff_u:sysadm_r:sysadm_t:Secret
.PP
Running a program in a given role or level:
- # newrole -r sysadm_r -- -c "/path/to/app arg1 arg2..."
- # newrole -l Secret -- -c "/path/to/app arg1 arg2..."
+ # newrole \-r sysadm_r \-\- \-c "/path/to/app arg1 arg2..."
+ # newrole \-l Secret \-\- \-c "/path/to/app arg1 arg2..."
.SH FILES
/etc/passwd - user account information
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index 8fbf2d0..4e59a06 100644
--- a/policycoreutils/newrole/newrole.c
@ -249039,6 +249208,19 @@ index 00a646f..2c28676 100644
g_main_loop_unref (loop);
return 0;
}
diff --git a/policycoreutils/run_init/Makefile b/policycoreutils/run_init/Makefile
index 12b39b4..5815a08 100644
--- a/policycoreutils/run_init/Makefile
+++ b/policycoreutils/run_init/Makefile
@@ -33,7 +33,7 @@ open_init_pty: open_init_pty.c
install: all
test -d $(SBINDIR) || install -m 755 -d $(SBINDIR)
- test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
+ test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8
install -m 755 run_init $(SBINDIR)
install -m 755 open_init_pty $(SBINDIR)
install -m 644 run_init.8 $(MANDIR)/man8/
diff --git a/policycoreutils/run_init/run_init.pamd b/policycoreutils/run_init/run_init.pamd
index d1b435c..1c323d2 100644
--- a/policycoreutils/run_init/run_init.pamd
@ -249073,69 +249255,112 @@ index b629006..6631c2d 100644
parser.add_option("-l", "--level", dest="level",
diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8
index 521afcd..8e64965 100644
index 521afcd..0c8cd1e 100644
--- a/policycoreutils/sandbox/sandbox.8
+++ b/policycoreutils/sandbox/sandbox.8
@@ -24,25 +24,29 @@ allows you to run X applications within a sandbox. These applications will star
If directories are specified with -H or -T the directory will have its context modified with chcon(1) unless a level is specified with -l. If the MLS/MCS security level is specified, the user is responsible to set the correct labels.
@@ -3,87 +3,94 @@
sandbox \- Run cmd under an SELinux sandbox
.SH SYNOPSIS
.B sandbox
-[-C] [-c] [-s] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
+[\-C] [\-c] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] cmd
.br
.B sandbox
-[-C] [-c] [-s] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
+[\-C] [\-c] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] \-S
.br
.SH DESCRIPTION
.PP
Run the
.I cmd
-application within a tightly confined SELinux domain. The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed to open any other files. The -M option will mount an alternate homedir and tmpdir to be used by the sandbox.
+application within a tightly confined SELinux domain. The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed to open any other files. The \-M option will mount an alternate homedir and tmpdir to be used by the sandbox.
If you have the
.I policycoreutils-sandbox
-package installed, you can use the -X option and the -M option.
-.B sandbox -X
+package installed, you can use the \-X option and the \-M option.
+.B sandbox \-X
allows you to run X applications within a sandbox. These applications will start up their own X Server and create a temporary home directory and /tmp. The default SELinux policy does not allow any capabilities or network access. It also prevents all access to the users other processes and files. Files specified on the command that are in the home directory or /tmp will be copied into the sandbox directories.
-If directories are specified with -H or -T the directory will have its context modified with chcon(1) unless a level is specified with -l. If the MLS/MCS security level is specified, the user is responsible to set the correct labels.
+If directories are specified with \-H or \-T the directory will have its context modified with chcon(1) unless a level is specified with \-l. If the MLS/MCS security level is specified, the user is responsible to set the correct labels.
.PP
.TP
-\fB\-H\ homedir
+\fB\-h\ \fB\--help\fR
-Use alternate homedir to mount over your home directory. Defaults to temporary. Requires -X or -M.
+\fB\-h\ \fB\\-\-help\fR
+display usage message
+.TP
+\fB\-H\ \fB\--homedir\fR
Use alternate homedir to mount over your home directory. Defaults to temporary. Requires -X or -M.
.TP
-\fB\-i file\fR
+\fB\-i\fR \fB\--include\fR
+\fB\-H\ \fB\\-\-homedir\fR
+Use alternate homedir to mount over your home directory. Defaults to temporary. Requires \-X or \-M.
+.TP
+\fB\-i\fR \fB\-\-include\fR
Copy this file into the appropriate temporary sandbox directory. Command can be repeated.
.TP
-\fB\-I inputfile\fR Copy all files listed in inputfile into the
+\fB\-I\fR \fB\--includefile\fR
+\fB\-I\fR \fB\-\-includefile\fR
+Copy all files listed in inputfile into the
appropriate temporary sandbox directories.
.TP
-\fB\-l\fR
+\fB\-l\fR \fB\--level\fR
+\fB\-l\fR \fB\-\-level\fR
Specify the MLS/MCS Security Level to run the sandbox with. Defaults to random.
.TP
-\fB\-M\fR
+\fB\-M\fR \fB\--mount\fR
+\fB\-M\fR \fB\-\-mount\fR
Create a Sandbox with temporary files for $HOME and /tmp.
.TP
-\fB\-s\fR \fB\--shred\fR
+\fB\-s\fR \fB\--shred\fR
+\fB\-s\fR \fB\-\-shred\fR
Shred temporary files created in $HOME and /tmp, before deleting.
.TP
-\fB\-t type\fR
+\fB\-t\fR \fB\--type\fR
Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for -X.
-Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for -X.
+\fB\-t\fR \fB\-\-type\fR
+Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for \-X.
\fBExamples:\fR
@@ -58,32 +62,35 @@ sandbox_web_t - Ports required for web browsing
sandbox_net_t - All network ports
.br
-sandbox_t - No X, No Network Access, No Open, read/write on passed in file descriptors.
+sandbox_t \- No X, No Network Access, No Open, read/write on passed in file descriptors.
.br
-sandbox_min_t - No Network Access
+sandbox_min_t \- No Network Access
.br
-sandbox_x_t - Printer Ports
+sandbox_x_t \- Printer Ports
.br
-sandbox_web_t - Ports required for web browsing
+sandbox_web_t \- Ports required for web browsing
.br
-sandbox_net_t - All network ports
+sandbox_net_t \- All network ports
.TP
-\fB\-T\ tmpdir
-Use alternate tempory directory to mount on /tmp. Defaults to tmpfs. Requires -X or -M.
+\fB\-T\fR \fB\--tmpdir\fR
+Use alternate temporary directory to mount on /tmp. Defaults to tmpfs. Requires -X or -M.
+\fB\-T\fR \fB\-\-tmpdir\fR
+Use alternate temporary directory to mount on /tmp. Defaults to tmpfs. Requires \-X or \-M.
.TP
-\fB\-S
+\fB\-S\fR \fB\--session\fR
+\fB\-S\fR \fB\-\-session\fR
Run a full desktop session, Requires level, and home and tmpdir.
.TP
-\fB\-w windowsize\fR
+\fB\-w\fR \fB\--windowsize\fR
+\fB\-w\fR \fB\-\-windowsize\fR
+
Specifies the windowsize when creating an X based Sandbox. The default windowsize is 1000x700.
.TP
-\fB\-W windowmanager\fR
+\fB\-W\fR \fB\--windowmanager\fR
+\fB\-W\fR \fB\-\-windowmanager\fR
Select alternative window manager to run within
.B sandbox -X.
-.B sandbox -X.
-Default to /usr/bin/matchbox-window-manager.
+.B sandbox \-X.
+Default to /usr/bin/openbox.
.TP
\fB\-X\fR
@ -249144,19 +249369,19 @@ index 521afcd..8e64965 100644
.TP
-\fB\-d\fR
-Set the DPI value for the sanbox X Server. Defaults to the current X Sever DPI.
+\fB\-d\fR \fB\--dpi\fR
+\fB\-d\fR \fB\-\-dpi\fR
+Set the DPI value for the sandbox X Server. Defaults to the current X Sever DPI.
.TP
-\fB\-c\fR
-Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
+\fB\-c\fR \fB\--cgroups\fR
+\fB\-c\fR \fB\-\-cgroups\fR
+Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
.TP
-\fB\-C\fR
-Use capabilities within the sandbox. By default applications executed within the sandbox will not be allowed to use capabilities (setuid apps), with the -C flag, you can use programs requiring capabilities.
+\fB\-C\fR \fB\--capabilities\fR Use capabilities within the
+\fB\-C\fR \fB\-\-capabilities\fR Use capabilities within the
+sandbox. By default applications executed within the sandbox will not
+be allowed to use capabilities (setuid apps), with the -C flag, you
+be allowed to use capabilities (setuid apps), with the \-C flag, you
+can use programs requiring capabilities.
.PP
.SH "SEE ALSO"
@ -249257,6 +249482,28 @@ index 201a988..f5d6e9d 100644
install -m 644 chcat.8 $(MANDIR)/man8/
clean:
diff --git a/policycoreutils/scripts/chcat.8 b/policycoreutils/scripts/chcat.8
index 7c6d75a..d095a25 100644
--- a/policycoreutils/scripts/chcat.8
+++ b/policycoreutils/scripts/chcat.8
@@ -21,7 +21,7 @@ chcat \- change file SELinux security category
[\fI-d\fR] \fIuser\fR...
.br
.B chcat
-\fI-L\fR [ -l ] [ user ... ]
+\fI-L\fR [ \-l ] [ user ... ]
.br
.SH DESCRIPTION
.PP
@@ -31,7 +31,7 @@ Use +/- to add/remove categories from a \fIfile\fR or \fIuser\fR.
.PP
.B
Note:
-When removing a category you must specify '--' on the command line before using the -Category syntax. This tells the command that you have finished entering options and are now specifying a category name instead.
+When removing a category you must specify '\-\-' on the command line before using the \-Category syntax. This tells the command that you have finished entering options and are now specifying a category name instead.
.TP
\fB\-d\fR
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 6901e4d..5acb111 100755
--- a/policycoreutils/scripts/fixfiles
@ -249506,19 +249753,64 @@ index 6901e4d..5acb111 100755
fi
exit $?
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index 9ab7334..f263805 100644
index 9ab7334..0086417 100644
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@@ -30,7 +30,7 @@ as you expect. By default it will relabel all mounted ext2, ext3, xfs and
@@ -5,13 +5,13 @@ fixfiles \- fix file SELinux security contexts.
.SH "SYNOPSIS"
.B fixfiles
-.I [-v] [-F] [-l logfile ] { check | restore|[-f] relabel | verify } [[dir/file] ... ]
+.I [\-v] [\-F] [\-l logfile ] { check | restore|[\-f] relabel | verify } [[dir/file] ... ]
.B fixfiles
-.I [-v] [-F] [ -R rpmpackagename[,rpmpackagename...] ] [-l logfile ] { check | restore | verify }
+.I [\-v] [\-F] [ \-R rpmpackagename[,rpmpackagename...] ] [\-l logfile ] { check | restore | verify }
.B fixfiles
-.I [-v] [ -C PREVIOUS_FILECONTEXT ] [-l logfile ] { check | restore | verify }
+.I [\-v] [ \-C PREVIOUS_FILECONTEXT ] [\-l logfile ] { check | restore | verify }
.B fixfiles
.I onboot
@@ -28,35 +28,35 @@ It can also be run at any time to relabel when adding support for
new policy, or just check whether the file contexts are all
as you expect. By default it will relabel all mounted ext2, ext3, xfs and
jfs file systems as long as they do not have a security context mount
option. You can use the -R flag to use rpmpackages as an alternative.
-option. You can use the -R flag to use rpmpackages as an alternative.
+option. You can use the \-R flag to use rpmpackages as an alternative.
The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
-excluded from relabelling.
+excluded from relabeling.
.P
.B fixfiles onboot
will setup the machine to relabel on the next reboot.
@@ -56,7 +56,7 @@ Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and
.SH "OPTIONS"
.TP
-.B -l logfile
+.B \-l logfile
Save the output to the specified logfile
.TP
-.B -F
-Force reset of context to match file_context for customizable files
+.B \-F
+Force reset of context to match file_context for customizable files
.TP
-.B -f
+.B \-f
Clear /tmp directory with out prompt for removal.
.TP
-.B -R rpmpackagename[,rpmpackagename...]
-Use the rpm database to discover all files within the specified packages and restore the file contexts. (-a will get all files in the RPM database).
+.B \-R rpmpackagename[,rpmpackagename...]
+Use the rpm database to discover all files within the specified packages and restore the file contexts. (\-a will get all files in the RPM database).
.TP
-.B -C PREVIOUS_FILECONTEXT
+.B \-C PREVIOUS_FILECONTEXT
Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and restore the context of all affected files.
.TP
.B -v
@ -249791,15 +250083,26 @@ index 6e33c85..7989aac 100644
return
diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8
index 28a9022..01b3420 100644
index 28a9022..ac62b49 100644
--- a/policycoreutils/semanage/semanage.8
+++ b/policycoreutils/semanage/semanage.8
@@ -14,15 +14,15 @@ Input local customizations
@@ -5,41 +5,41 @@ semanage \- SELinux Policy Management tool
.SH "SYNOPSIS"
Output local customizations
.br
-.B semanage [ -S store ] -o [ output_file | - ]
+.B semanage [ \-S store ] \-o [ output_file | \- ]
Input local customizations
.br
-.B semanage [ -S store ] -i [ input_file | - ]
+.B semanage [ \-S store ] \-i [ input_file | \- ]
Manage booleans. Booleans allow the administrator to modify the confinement of
processes based on his configuration.
.br
-.B semanage boolean [\-S store] \-{d|m|l|D} [\-nN] [\-\-on|\-\-off|\-\1|\-0] -F boolean | boolean_file
+.B semanage boolean [\-S store] \-{d|m|l|D|E} [\-nN] [\-\-on|\-\-off|\-\1|\-0] -F boolean | boolean_file
+.B semanage boolean [\-S store] \-{d|m|l|D|E} [\-nN] [\-\-on|\-\-off|\-\1|\-0] \-F boolean | boolean_file
Manage SELinux confined users (Roles and levels for an SELinux user)
.br
@ -249813,7 +250116,8 @@ index 28a9022..01b3420 100644
Manage policy modules.
.br
@@ -30,16 +30,16 @@ Manage policy modules.
-.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] [\-N] module_name
+.B semanage module [\-S store] \-{a|d|l} [\-m [\-\-enable | \-\-disable] ] [\-N] module_name
Manage network port type definitions
.br
@ -249829,10 +250133,34 @@ index 28a9022..01b3420 100644
Manage network node type definitions
.br
-.B semanage node [\-S store] -{a|d|m|l|D} [-nNrt] [ -p protocol ] [-M netmask] address
+.B semanage node [\-S store] -{a|d|m|l|D|E} [-nNrt] [ -p protocol ] [-M netmask] address
+.B semanage node [\-S store] -{a|d|m|l|D|E} [\-nNrt] [ \-p protocol ] [\-M netmask] address
.br
Manage file context mapping definitions
@@ -97,12 +97,12 @@ Delete a OBJECT record NAME
Remove all OBJECTS local customizations
.TP
.I \-\-disable
-Disable a policy module, requires -m option
+Disable a policy module, requires \-m option
Currently modules only.
.TP
.I \-\-enable
-Enable a disabled policy module, requires -m option
+Enable a disabled policy module, requires \-m option
Currently modules only.
.TP
@@ -114,7 +114,7 @@ defined for the source.
.TP
.I \-f, \-\-ftype
File Type. This is used with fcontext.
-Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
+Requires a file type as shown in the mode field by ls, e.g. use \-d to match only directories or \-\- to match only regular files.
.TP
.I \-F, \-\-file
Set multiple records from the input file. When used with the \-l \-\-list, it will output the current settings to stdout in the proper format.
@@ -123,11 +123,15 @@ Currently booleans only.
.TP
@ -249850,8 +250178,78 @@ index 28a9022..01b3420 100644
.I \-C, \-\-locallist
List only locally defined settings, not base policy settings.
.TP
@@ -174,42 +178,42 @@ Take a set of commands from a specified file and load them in a single
transaction.
.TP
.I \-o, \-\-output
-Output all local customizations into a file. This file than can be used with the semanage -i command to customize other machines to match the local machine.
+Output all local customizations into a file. This file than can be used with the semanage \-i command to customize other machines to match the local machine.
.SH EXAMPLE
.nf
.B SELinux user
List SELinux users
-# semanage user -l
+# semanage user \-l
.B SELinux login
Change joe to login as staff_u
-# semanage login -a -s staff_u joe
+# semanage login \-a \-s staff_u joe
Change the group clerks to login as user_u
-# semanage login -a -s user_u %clerks
+# semanage login \-a \-s user_u %clerks
.B File contexts
-.i remember to run restorecon after you set the file context
+.I remember to run restorecon after you set the file context
Add file-context for everything under /web
-# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
-# restorecon -R -v /web
+# semanage fcontext \-a \-t httpd_sys_content_t "/web(/.*)?"
+# restorecon \-R \-v /web
Substitute /home1 with /home when setting file context
-# semanage fcontext -a -e /home /home1
-# restorecon -R -v /home1
+# semanage fcontext \-a \-e /home /home1
+# restorecon \-R \-v /home1
For home directories under top level directory, for example /disk6/home,
execute the following commands.
-# semanage fcontext -a -t home_root_t "/disk6"
-# semanage fcontext -a -e /home /disk6/home
-# restorecon -R -v /disk6
+# semanage fcontext \-a \-t home_root_t "/disk6"
+# semanage fcontext \-a \-e /home /disk6/home
+# restorecon \-R \-v /disk6
.B Port contexts
Allow Apache to listen on tcp port 81
-# semanage port -a -t http_port_t -p tcp 81
+# semanage port \-a \-t http_port_t \-p tcp 81
.B Change apache to a permissive domain
-# semanage permissive -a httpd_t
+# semanage permissive \-a httpd_t
.B Turn off dontaudit rules
# semanage dontaudit off
@@ -219,10 +223,10 @@ Multiple machines that need the same customizations.
Extract customizations off first machine, copy them
to second and import them.
-# semanage -o /tmp/local.selinux
+# semanage \-o /tmp/local.selinux
# scp /tmp/local.selinux secondmachine:/tmp
# ssh secondmachine
-# semanage -i /tmp/local.selinux
+# semanage \-i /tmp/local.selinux
If these customizations include file context, you need to apply the
context using restorecon.
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
index 85bc37f..efb2616 100644
index 85bc37f..35591df 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -32,11 +32,10 @@ from IPy import IP
@ -249870,6 +250268,15 @@ index 85bc37f..efb2616 100644
import syslog
@@ -89,7 +88,7 @@ except:
self.log_list=[]
def log(self, msg, name = "", sename = "", serole = "", serange = "", oldsename = "", oldserole = "", oldserange = ""):
- message += " %s name=%s" % (msg, name)
+ message = " %s name=%s" % (msg, name)
if sename != "":
message += " sename=" + sename
if oldsename != "":
@@ -377,7 +376,7 @@ class permissiveRecords(semanageRecords):
try:
import sepolgen.module as module
@ -249996,11 +250403,11 @@ index 4c5243a..036c418 100644
diff --git a/policycoreutils/semodule/genhomedircon.8 b/policycoreutils/semodule/genhomedircon.8
new file mode 100644
index 0000000..8ec509c
index 0000000..08e3bad
--- /dev/null
+++ b/policycoreutils/semodule/genhomedircon.8
@@ -0,0 +1,24 @@
+.TH GENHOMEDIRCON "12" "Sep 2011" "Security Enhanced Linux" "SELinux"
+.TH GENHOMEDIRCON "8" "Sep 2011" "Security Enhanced Linux" "SELinux"
+.SH NAME
+genhomedircon \- generate SELinux file context configuration entries for user home directories
+.SH SYNOPSIS
@ -250024,6 +250431,46 @@ index 0000000..8ec509c
+
+.SH "SEE ALSO"
+semanage.conf(5), semodule(8), semanage(8), getpwent(3), getpwent_r(3)
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index 9f911fb..35277e9 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -21,7 +21,7 @@ by semodule_package. Conventionally, these files have a .pp suffix
force a reload of policy
.TP
.B \-B, \-\-build
-force a rebuild of policy (also reloads unless -n is used)
+force a rebuild of policy (also reloads unless \-n is used)
.TP
.B \-D, \-\-disable_dontaudit
Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
@@ -65,19 +65,19 @@ be verbose
.SH EXAMPLE
.nf
# Install or replace a base policy package.
-$ semodule -b base.pp
+$ semodule \-b base.pp
# Install or replace a non-base policy package.
-$ semodule -i httpd.pp
+$ semodule \-i httpd.pp
# List non-base modules.
-$ semodule -l
+$ semodule \-l
# Turn on all AVC Messages for which SELinux currently is "dontaudit"ing.
-$ semodule -DB
+$ semodule \-DB
# Turn "dontaudit" rules back on.
-$ semodule -B
+$ semodule \-B
# Install or replace all non-base modules in the current directory.
-$ semodule -i *.pp
+$ semodule \-i *.pp
# Install or replace all modules in the current directory.
-$ ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -b base.pp -i
+$ ls *.pp | grep \-Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule \-b base.pp \-i
.fi
.SH SEE ALSO
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index 17b4fa5..6947b37 100644
--- a/policycoreutils/semodule/semodule.c
@ -250050,6 +250497,62 @@ index 17b4fa5..6947b37 100644
parse_command_line(argc, argv);
if (build)
diff --git a/policycoreutils/semodule_deps/semodule_deps.8 b/policycoreutils/semodule_deps/semodule_deps.8
index 86b7b3c..6f21a64 100644
--- a/policycoreutils/semodule_deps/semodule_deps.8
+++ b/policycoreutils/semodule_deps/semodule_deps.8
@@ -3,7 +3,7 @@
semodule_deps \- show the dependencies between SELinux policy packages.
.SH SYNOPSIS
-.B semodule_deps [-v -g -b] basemodpkg modpkg1 [modpkg2 ... ]
+.B semodule_deps [\-v \-g \-b] basemodpkg modpkg1 [modpkg2 ... ]
.br
.SH DESCRIPTION
.PP
@@ -19,12 +19,12 @@ general this means that the list of modules will usually be
quite long.
By default options to the base module are excluded as almost every
-module has this dependency. The -b option will include these
+module has this dependency. The \-b option will include these
dependencies.
In addition to human readable output, semodule_deps can output the
dependencies in the Graphviz dot format (http://www.graphviz.org/)
-using the -g option. This is useful for producing a picture of the
+using the \-g option. This is useful for producing a picture of the
dependencies.
.SH "OPTIONS"
diff --git a/policycoreutils/semodule_package/semodule_package.8 b/policycoreutils/semodule_package/semodule_package.8
index ddad2d2..563d526 100644
--- a/policycoreutils/semodule_package/semodule_package.8
+++ b/policycoreutils/semodule_package/semodule_package.8
@@ -3,7 +3,7 @@
semodule_package \- Create a SELinux policy module package.
.SH SYNOPSIS
-.B semodule_package -o <output file> -m <module> [-f <file contexts>]
+.B semodule_package \-o <output file> \-m <module> [\-f <file contexts>]
.br
.SH DESCRIPTION
.PP
@@ -16,11 +16,11 @@ be installed via semodule.
.SH EXAMPLE
.nf
# Build a policy package for a base module.
-$ semodule_package -o base.pp -m base.mod -f file_contexts
+$ semodule_package \-o base.pp \-m base.mod \-f file_contexts
# Build a policy package for a httpd module.
-$ semodule_package -o httpd.pp -m httpd.mod -f httpd.fc
+$ semodule_package \-o httpd.pp \-m httpd.mod \-f httpd.fc
# Build a policy package for local TE rules and no file contexts.
-$ semodule_package -o local.pp -m local.mod
+$ semodule_package \-o local.pp \-m local.mod
.fi
.SH "OPTIONS"
diff --git a/policycoreutils/semodule_package/semodule_unpackage.8 b/policycoreutils/semodule_package/semodule_unpackage.8
index 62dd53e..d6e1be0 100644
--- a/policycoreutils/semodule_package/semodule_unpackage.8
@ -250063,17 +250566,20 @@ index 62dd53e..d6e1be0 100644
.SH SYNOPSIS
.B semodule_unpackage <module> [<file contexts>]
diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile
index 11b534f..ae064c4 100644
index 11b534f..1724490 100644
--- a/policycoreutils/sepolicy/Makefile
+++ b/policycoreutils/sepolicy/Makefile
@@ -7,7 +7,7 @@ SBINDIR ?= $(PREFIX)/sbin
@@ -7,9 +7,9 @@ SBINDIR ?= $(PREFIX)/sbin
MANDIR ?= $(PREFIX)/share/man
LOCALEDIR ?= /usr/share/locale
PYTHON ?= /usr/bin/python
-BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
+BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
SHAREDIR ?= $(PREFIX)/share/sandbox
override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
-override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
+override CFLAGS = -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
BASHCOMPLETIONS=sepolicy-bash-completion.sh
@@ -22,11 +22,15 @@ clean:
$(PYTHON) setup.py clean
@ -250192,7 +250698,7 @@ index 65458e6..cd1026a 100644
if (py_insert_string(dict, "protocol", proto_str))
goto err;
diff --git a/policycoreutils/sepolicy/policy.c b/policycoreutils/sepolicy/policy.c
index 4eca22d..eeee0ab 100644
index 4eca22d..2a9e1c7 100644
--- a/policycoreutils/sepolicy/policy.c
+++ b/policycoreutils/sepolicy/policy.c
@@ -66,7 +66,6 @@ PyObject *wrap_policy(PyObject *UNUSED(self), PyObject *args){
@ -250203,6 +250709,15 @@ index 4eca22d..eeee0ab 100644
policy = apol_policy_create_from_policy_path(pol_path, policy_load_options, NULL, NULL);
apol_policy_path_destroy(&pol_path);
if (!policy) {
@@ -87,7 +86,7 @@ static PyMethodDef methods[] = {
{NULL, NULL, 0, NULL} /* sentinel */
};
-void init_policy() {
+void init_policy(void) {
PyObject *m;
m = Py_InitModule("_policy", methods);
init_info(m);
diff --git a/policycoreutils/sepolicy/sepolgen.8 b/policycoreutils/sepolicy/sepolgen.8
new file mode 100644
index 0000000..3ecf3eb
@ -250805,7 +251320,7 @@ index b25d3b2..7ca5554 100755
except KeyboardInterrupt:
sys.exit(0)
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
index 5e7415c..6ec0d09 100644
index 5e7415c..3f0372c 100644
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
@@ -7,6 +7,9 @@ import _policy
@ -250901,7 +251416,7 @@ index 5e7415c..6ec0d09 100644
all_domains = []
types=get_all_types()
types.sort()
@@ -81,11 +134,49 @@ def get_all_entrypoint_domains():
@@ -81,11 +134,54 @@ def get_all_entrypoint_domains():
all_domains.append(m[0])
return all_domains
@ -250912,8 +251427,13 @@ index 5e7415c..6ec0d09 100644
+ import commands, os
+ ifile = defaults.interface_info()
+ headers = defaults.headers()
+ rebuild = False
+ try:
+ if os.stat(headers).st_mtime <= os.stat(ifile).st_mtime:
+ return
+ except OSError:
+ pass
+
+ if os.stat(headers).st_mtime > os.stat(ifile).st_mtime:
+ if os.getuid() != 0:
+ raise ValueError(_("You must regenerate interface info by running /usr/bin/sepolgen-ifgen"))
+ print commands.getstatusoutput("/usr/bin/sepolgen-ifgen")[1]
@ -250952,7 +251472,7 @@ index 5e7415c..6ec0d09 100644
return all_domains
roles = None
@@ -139,48 +230,48 @@ def get_all_attributes():
@@ -139,48 +235,48 @@ def get_all_attributes():
return all_attributes
def policy(policy_file):
@ -251777,8 +252297,47 @@ index 5850622..5e308e3 100755
if "child" in self.sdict[name]:
for x in self.sdict[name]["child"]:
diff --git a/policycoreutils/sestatus/Makefile b/policycoreutils/sestatus/Makefile
index c5db7a3..c04ff00 100644
--- a/policycoreutils/sestatus/Makefile
+++ b/policycoreutils/sestatus/Makefile
@@ -5,7 +5,7 @@ MANDIR = $(PREFIX)/share/man
ETCDIR ?= $(DESTDIR)/etc
LIBDIR ?= $(PREFIX)/lib
-CFLAGS = -Werror -Wall -W
+CFLAGS ?= -Werror -Wall -W
override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
LDLIBS = -lselinux -L$(LIBDIR)
diff --git a/policycoreutils/sestatus/sestatus.conf.5 b/policycoreutils/sestatus/sestatus.conf.5
index d2bb3fe..acfedf6 100644
--- a/policycoreutils/sestatus/sestatus.conf.5
+++ b/policycoreutils/sestatus/sestatus.conf.5
@@ -49,7 +49,7 @@ The start of the file list block.
.RE
.I file_name
.RS
-One or more fully qualified file names, each on a new line will that will have its context displayed. If the file does not exist, then it is ignored. If the file is a symbolic link, then \fBsestatus -v\fR will also display the target file context.
+One or more fully qualified file names, each on a new line will that will have its context displayed. If the file does not exist, then it is ignored. If the file is a symbolic link, then \fBsestatus \-v\fR will also display the target file context.
.RE
.sp
.B [process]
diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
index 4b44b3c..98f4f7d 100644
--- a/policycoreutils/setfiles/Makefile
+++ b/policycoreutils/setfiles/Makefile
@@ -8,7 +8,7 @@ AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
-CFLAGS = -g -Werror -Wall -W
+CFLAGS ?= -g -Werror -Wall -W
override CFLAGS += -I$(PREFIX)/include
LDLIBS = -lselinux -lsepol -L$(LIBDIR)
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index 80b6d6e..1215a29 100644
index 80b6d6e..ff759af 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -4,10 +4,10 @@ restorecon \- restore file(s) default SELinux security contexts.
@ -251794,7 +252353,7 @@ index 80b6d6e..1215a29 100644
.SH "DESCRIPTION"
This manual page describes the
@@ -20,7 +20,7 @@ This program is primarily used to set the security context
@@ -20,17 +20,21 @@ This program is primarily used to set the security context
It can also be run at any other time to correct inconsistent labels, to add
support for newly-installed policy or, by using the \-n option, to passively
check whether the file contexts are all set as specified by the active policy
@ -251803,7 +252362,13 @@ index 80b6d6e..1215a29 100644
.P
If a file object does not have a context, restorecon will write the default
context to the file object's extended attributes. If a file object has a
@@ -30,7 +30,7 @@ The -F option will force a replacement of the entire context.
context, restorecon will only modify the type portion of the security context.
The -F option will force a replacement of the entire context.
+.P
+It is the same executable as
+.BR setfiles
+but operates in a slightly different manner depending on it's argv[0].
.SH "OPTIONS"
.TP
.B \-e directory
@ -251812,7 +252377,7 @@ index 80b6d6e..1215a29 100644
.TP
.B \-f infilename
infilename contains a list of files to be processed. Use \- for stdin.
@@ -49,7 +49,7 @@ ignore files that do not exist.
@@ -49,7 +53,7 @@ ignore files that do not exist.
don't change any file labels (passive check).
.TP
.B \-o outfilename
@ -251822,7 +252387,7 @@ index 80b6d6e..1215a29 100644
.B \-p
show progress by printing * every STAR_COUNT files. (If you relabel the entire OS, this will show you the percentage complete.)
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index 89d2a49..12bca43 100644
index 89d2a49..57067d2 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -4,7 +4,7 @@ setfiles \- set SELinux file security contexts.
@ -251830,10 +252395,19 @@ index 89d2a49..12bca43 100644
.SH "SYNOPSIS"
.B setfiles
-.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname...
+.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname...
+.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-p] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname...
.SH "DESCRIPTION"
This manual page describes the
.BR setfiles
@@ -23,7 +23,7 @@ check whether the file contexts are all set as specified by the active policy
If a file object does not have a context, setfiles will write the default
context to the file object's extended attributes. If a file object has a
context, setfiles will only modify the type portion of the security context.
-The -F option will force a replacement of the entire context.
+The \-F option will force a replacement of the entire context.
.SH "OPTIONS"
.TP
.B \-c
@@ -57,7 +57,7 @@ log changes in file labels to syslog.
don't change any file labels (passive check).
.TP
@ -252013,3 +252587,33 @@ index a6addc5..45d6538 100644
relabel:
diff --git a/policycoreutils/setsebool/setsebool.8 b/policycoreutils/setsebool/setsebool.8
index 38abeb8..d53f15b 100644
--- a/policycoreutils/setsebool/setsebool.8
+++ b/policycoreutils/setsebool/setsebool.8
@@ -4,21 +4,21 @@ setsebool \- set SELinux boolean value
.SH "SYNOPSIS"
.B setsebool
-.I "[ -PN ] boolean value | bool1=val1 bool2=val2 ..."
+.I "[ \-PN ] boolean value | bool1=val1 bool2=val2 ..."
.SH "DESCRIPTION"
.B setsebool
sets the current state of a particular SELinux boolean or a list of booleans
to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it.
-Without the -P option, only the current boolean value is
+Without the \-P option, only the current boolean value is
affected; the boot-time default settings
are not changed.
-If the -P option is given, all pending values are written to
+If the \-P option is given, all pending values are written to
the policy file on disk. So they will be persistent across reboots.
-If the -N option is given, the policy on disk is not reloaded into the kernel.
+If the \-N option is given, the policy on disk is not reloaded into the kernel.
.SH AUTHOR

View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.14
Release: 38%{?dist}
Release: 39%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@ -315,7 +315,11 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
* Mon May 10 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-38
* Sun May 10 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-39
- Run sepolgen-ifgen in audit2allow and sepolicy generate, if needed, first time
- Add Sven Vermeulen patches to cleanup man pages
* Fri May 10 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-38
- No longer run sepolgen-ifgen at install time.
- Run sepolgen-ifgen in audit2allow and sepolicy generate, if needed.
- Update Translations